
VME Broken on AMD Ryzen - monocasa
http://www.os2museum.com/wp/vme-broken-on-amd-ryzen/
======
pcwalton
This may be an unpopular opinion, but making ancient x86 features unreliable
strikes me as a good thing. Virtual 8086 mode is an awful virtualization
solution, as you can't enter protected mode from within it. This makes it only
good for running a subset of DOS apps: either real-mode-only apps or those
written to an unspecified subset of DPMI [1]. Ryzen CPUs are easily fast
enough to emulate them. And if that's not enough, x86 has had _real_
virtualization for years now, with a functioning protected mode (and long
mode!) in addition to real mode.

We're long overdue for a simplification of the PC platform. Having CPUs out
there with broken legacy features accelerates the migration away from those
features. Hopefully this leads to dropping them outright at some point.

[1]:
[https://en.wikipedia.org/wiki/DOS_Protected_Mode_Interface#H...](https://en.wikipedia.org/wiki/DOS_Protected_Mode_Interface#History)

~~~
rdmsr
One of the big selling points of x86 is backwards compatibility. If you have
some OS from 1990 you can still run it (without emulation or virtualization,
so long as it doesn't depend on clock speed), which is pretty crazy.

Slight aside, there are a lot of reasons that Itanium failed, but certainly
one of them was lack of backwards compatibility.

~~~
pcwalton
Itanium was _extraordinarily_ backwards incompatible. There's an enormous gulf
between "runs software from the 80s" (which is something the PC platform only
pretends to do anyway, because peripherals now are incompatible) and "can't
run Windows at all". Breaking v8086 mode wouldn't prevent modern Windows from
working (which is in fact why this bug wasn't noticed). You can't even enter
it from long mode to begin with!

~~~
merb
actually my windows 10 installation didn't used uefi. (I had a really old
machine). Basically I upgrade/upgraded to ryzen. I don't think it will be easy
to migrate to UEFI straight.

------
namuol
> As incredible as it is, Ryzen has buggy VME implementation; specifically,
> the INT instruction is known to misbehave in V86 mode with VME enabled when
> the given vector is redirected

It's much more incredible to me that our computers work, at all.

------
userbinator
_As incredible as it is, Ryzen has buggy VME implementation_

What I find more incredible is that this bug could get by without being
noticed. A CPU literally has billions of possible regression tests --- all the
world's existing software --- and of everyone working on the project, not a
single one thought to try some older software (XP/2k3 is not even that old, as
far as x86 compatibility is concerned) to see if it worked? This is an old
feature too, meaning it should've been well-characterised by now. I'm
particularly surprised that FreeDOS is affected, since it's commonly used as a
minimal "non-OS" OS for running things like low-level diagnostics and
debugging of hardware.

This begs the question: if old features are this broken, what about the new
ones (for which there is far less software available to test them with)? I
think the most recently discovered one was
[https://news.ycombinator.com/item?id=13924192](https://news.ycombinator.com/item?id=13924192)

~~~
qb45
> This begs the question: if old features are this broken, what about the new
> ones

You can find so called "specification updates", which - as the name implies -
update the specs to match actually released hardware ;)

Available for all CPU families from both Intel and AMD, easily go into tens or
hundreds of positions. (Though I haven't seen the Ryzen one released yet).

And then somebody recently linked this (2010) - allegedly there are bugs
exploitable for privilege escalation:

[http://cs.dartmouth.edu/~sergey/cs258/2010/D2T1%20-%20Kris%2...](http://cs.dartmouth.edu/~sergey/cs258/2010/D2T1%20-%20Kris%20Kaspersky%20-%20Remote%20Code%20Execution%20Through%20Intel%20CPU%20Bugs.pdf)

~~~
dom0
> Transfer of the file you were trying to download or upload has been blocked
> in accordance with company policy. Please contact your system administrator
> if you believe this is in error.

That comes from their end.

~~~
qb45
Weird, maybe you are IP banned or it actually is some corp firewall on your
side.

It's a conference presentation titled "Remote Code Execution through Intel CPU
Bugs" by Kris Kaspersky and Alice Chang. Google finds copies elsewhere.

I can't say that I see how the "remote" part could possibly work, but as for
local exploitation, errata often state that things like "data corruption" or
"unpredictable behavior" can happen under "certain internal conditions" so
this stuff may be exploitable if one can execute arbitrary instructions which
trigger these internal conditions.

~~~
dom0
Thanks. This link works for me:
[https://zadereyko.info/downloads/library/D2T1_Kris_Kaspersky...](https://zadereyko.info/downloads/library/D2T1_Kris_Kaspersky_Remote_Code_Execution_Through_Intel_CPU_Bugs.pdf)

------
KenoFischer
Yeah, modern CPUs have tons of bugs in the obscure corners of the
architecture. The x86 boot process is an amazing amalgamation of all the
legacy CPUs of the past two decades. This does seem fixable in microcode
though, so presumably they'll just do that. I very much agree with the other
comments though that at some point we should just get rid of all of that junk
and use software emulation.

------
m_mueller
So if I get this correctly, as long as the Host OS is 64bit we're fine, since
VME isn't supported on that anyways? I'm thinking 32bit hosts running VMs of
any sort should be an increasingly rare case, but nevertheless it's going to
be interesting to see if and when AMD releases a fixed version.

~~~
yuhong
It can affect 32-bit guest OSes running on 64-bit hosts, and that is how they
discovered the bug.

~~~
mrb
A 64-bit host, running a 32-bit guest, itself running a 16-bit app. This
scenario can run into the VME bug.

~~~
brownbat
Any exploitation scenarios here?

Could you package a trimmed down version of that stack up and cause a reliable
crash on Ryzens operating on a more typical platform?

Maybe it becomes a bit of a rube goldberg malware at that point...

------
pja
Am I the only one who thinks that it’s not particularly incredible that a new
CPU that implements the ridiculously complex (for good reasons, but still) x86
instruction set with all its historical baggage has bugs?

 _Every_ x86 has had errata. Why should we expect Ryzen to be any different?
“As incredible as it is...” seems a bit of an over-reaction to me.

~~~
c0nfused
People think that the world a is a prefect black and white place where
everything that works is prefect and everything else is garbage.

Typically, the person reporting this sort of %^&* has an agenda, ranging from
"fixit fixit fixit" to "I only buy the competition and so should you". The
knowledge is good to have you just have if you are into doing crazy old things
with new hardware. But the hyperbolic "the world is ending" bit you should
just ignore.

------
api
In other news, crank-to-start mode is broken on the Tesla Model S.

------
amluto
Linux should be immune simply because it doesn't use VME.

~~~
zAy0LfpBZLC8mAC
I think dosemu does?

~~~
amluto
DOSEMU uses virtual 8086 mode but not VME. The Linux kernel never bothered
implementing VME.

------
brownbat
Ryzen 7s cannot seem to find their level, I wonder if this will drive the
price down even further, or if it's too specific for anyone to notice.

[https://pcpartpicker.com/product/9Q98TW/amd-
ryzen-7-1700x-34...](https://pcpartpicker.com/product/9Q98TW/amd-
ryzen-7-1700x-34ghz-8-core-processor-yd170xbcaewof)

------
dis-sys
AMD should just drop the support for VME. There is no need to carry such
baggage in 2017. If you need to run your legacy systems that require VME: buy
yourself a processor designed in 2016.

------
faragon
Ryzen is amazing, I hope AMD fixes this via BIOS update for motherboards, so
the updated microcode can be loaded before the OS boots.

------
Dolores12
They will issue patch for processor that will fix it. Just another bug.

------
sneak
I misread VME as VMX at first. Totally different.

~~~
yuhong
This really should have "(virtual 8086 mode)" in the title.

~~~
Narishma
That would be inaccurate. VME is an extension of virtual 8086 mode.

