Would G/QZDoom be affected w/ the inevitable Intel patch?

[4thcharacter]

There is this big news with Intel having a bug on all of their processor chips' feature that can be exploited and lead to your PC being bruteforced:

https://www.theregister.co.uk/2018/01/0 ... sign_flaw/

Linux (and Windows is following suit) has already provided a fix for it that disables the offending exploitable feature but at the cost of lessening the performance by 5-30%. Would this get in the way with GZDoom?

[R4L]

The flaw is kernel based, so yeah, everything will be affected.

[Chris]

The flaw is in Intel's CPU hardware, although the patch is in the kernel to avoid the hardware flaw. Currently, the most overhead from the fix comes from context switching. that is switching to and from user and kernel code. Games don't seem to be majorly affected, since context switches were already not ideal for performance and so tend to be avoided as much as possible anyway. I don't imagine GQZDoom to be much different, but until someone actually tests, we won't know for sure.

[Rachael]

The software renderer appears to not likely be as affected as the OpenGL renderer might be in this case. (I initially thought it does a lot of thread creation and destruction - but that appears to not be the case - in fact, the extra render threads wait patiently on standby when r_multithreaded is flipped)

It also makes a lot of OpenGL calls very frequently, but that depends a lot on driver implementation. From what little I understand about GPU drivers, NVidias likely won't be affected as heavily as AMD's and Intels will, but it depends on how often the kernel has to take control of the process (which, when the driver does start the actual drawing, will happen at least once every frame - but that "once" is not going to be the performance killer).

So yes, I do expect a performance impact, but the actual extent of it will have to be measured. It may be negligible, it may not be.

[dpJudas]

I'd say for the software renderer the impact should be minimal. It does not do any kernel requests and the drawer threads are only synced once or twice per frame.

For the GL renderer it gets a bit more tricky. OpenGL has a command queue that gets filled and once full it gets delivered to the GPU. The command queue is being filled by user space driver code, while the handoff to the GPU is done by a kernel side part of the driver (DrvPresentBuffers). The high amount of drawcalls in GZDoom might cause the command queue to get filled faster than for most other games. As a result, it is possible most source ports will be hit harder than the typical modern game.

[Nevander]

Time to not update it. I hate when this kind of thing happens. They go and fuck something up and then put us in this position where we have to lose performance for stuff or else have an insecure system. How is that even possible anyway? How the hell can a computer be hacked through the CPU?

[Chris]

How the hell can a computer be hacked through the CPU?

Because the CPU handles the core virtualization and protection features that prevent applications from doing things they shouldn't. Virtual memory pages are handled on the CPU so that processes see a flat memory range, and can efficiently access the memory that those pages refer to. All "direct" memory accesses by applications are done through these pages, transparently handled by the CPU with the kernel having special permissions to modify them. But even hardware has bugs. In this particular case, specially-crafted code can trick the CPU into reading a memory page the process wouldn't normally be able to read. The process doesn't actually get to "see" the memory, but it can infer what it is based on what it caused the processor to do.

This post explains it, though it will be gibberish if you're not tech-minded, and maybe even if you are (even I have trouble grasping the details).

[Rachael]

Time to not update it.

Good idea. Let me know how losing your email accounts goes just because you visited an unsavory website on accident one day goes.

[Reactor]

How much degree this flaw can be exploited? I mean, it required a significant amount of time & knowledge of the best technicians to discover this. So, if this problem is exploitable technically, but not financially for your everyday "l33t h4xx0r", then I guess it's not that dangerous.

[Kotti]

How much degree this flaw can be exploited?

Hard to say without more detailed info. But from what I understand it requires machine code that has been specifically written to exploit the flaw. Which means that it isn't something that can be easily abused directly over the internet and requires a dedicated program to run on your machine.

But you can rest assured that the typical crapware that is all over the internet just waiting to be installed on computers from unsuspecting users will soon add 'support' for this exploit. I do not expect this to become a major issue for people who are careful what places in the internet they visit.

My worries here are different. I have been having problems with Windows Update working on my computer and had to disable it because even reinstalling Windows did not fix the problem. It made just one update and afterward got stuck again. In earlier times it was possible to selectively uninstall single patches to find out whch one broke it but that no longer works. The last time Windows just downloaded one large cumulative patch which could not be split into its parts.

[Nevander]

Good idea. Let me know how losing your email accounts goes just because you visited an unsavory website on accident one day goes.

Not going to happen. I don't visit unsavory websites, even on accident. I always check where links go and if I have to visit one I'm not familiar with, I scan it with VirusTotal and even then sometimes only visit it inside a virtual machine. I've visited a shit load of random sites on that VM and never once gotten a virus.

Besides, how exactly would visiting a site make me lose my email accounts?

[Rachael]

It was a bit hyperbolic but it's a real threat. Unpatched browsers used to have javascript exploits up the wazoo that allowed all sorts of fuckery - including taking your cookies from another site and logging into that site using your credentials (example: banking, email, etc). This isn't theoretical - this was actually done on multiple occasions.

With a blasé attitude as you have about security, you'll find out the hard way soon enough just how serious this kind of thing can be. I am sorry - but that's just how it is.

How bad can it be? Just imagine if your browser has a zero-day exploit that you don't know about that can take advantage of itself - and the meltdown bug. That's your system's private kernel space exposed to an attacker. And the kernel space is the whole system.

So...

Not going to happen.

I really doubt that.

EDIT:
To make matters worse, some higher grade virus scanners do unprivileged execution of suspect code, to try and catch it "in the act", so to speak. These virus scanners would be vulnerable to this bug, as would a virtual machine which does basically the same thing anyway.

[Reactor]

No need to worry, Eruanna - Intel or Microsoft shall release a removal tool for it extremely soon. Remember the OneHalf and the W32.Blaster-Worm crisis? Both viruses were something completely new and original, antivirus softwares were helpless against them, and they indeed did a lot of damage. In a few weeks, however, free removal tools were provided to the public, and so the threat was nullified. The situation is even better now, since technicians could identify this CPU flaw before some asswipe could exploit it. Even though I'm relentlessly pessimistic, I believe this problem can be eradicated without complications.

[Rachael]

The situation is even better now, since technicians could identify this CPU flaw before some asswipe could exploit it. Even though I'm relentlessly pessimistic, I believe this problem can be eradicated without complications.

That isn't the problem. Hackers take advantage of people who say things like this...

Good idea. Let me know how losing your email accounts goes just because you visited an unsavory website on accident one day goes.

Not going to happen. I don't visit unsavory websites, even on accident. I always check where links go and if I have to visit one I'm not familiar with, I scan it with VirusTotal and even then sometimes only visit it inside a virtual machine. I've visited a shit load of random sites on that VM and never once gotten a virus.

Besides, how exactly would visiting a site make me lose my email accounts?

Hackers will smile, take one look at a post like this and say - "this person is a walking gold mine." Ask ANY experienced programmer.

[Nevander]

Hackers will smile, take one look at a post like this and say - "this person is a walking gold mine." Ask ANY experienced programmer.

Except for the fact that I don't even store anything of value on my computer. Any hacker wouldn't find anything they could use to steal money or anything. They'd just find a bunch of music and Doom shit on my PC. I secure all my important data the old fashioned way, on paper. Also take into account that unlike 90% of computer users, I'm not a fucking idiot who randomly clicks on everything and falls for the most basic of scams and phishing attempts. Not to mention, I keep my computer disconnect from the internet about 80% of the time when I'm not doing something important, so I'd like to see a hacker try to hack what they can't reach.

I reiterate, not going to happen. Doubt all you want, you're wrong.