And, like, the fact that AMD released an urgent patch for it should kind of speak to the severity of the issue in the first place. AMD doesn't patch "sudo lets you do root things", obviously, so it necessarily must have been more than that, and this was obvious even at the time. But we have to go through this dance with literally every single AMD exploit.

AMD has a unpatched exploit in all Zen3 and below processors that leaks data from kernel at a faster rate than meltdown did. It was discovered by the same researchers that discovered meltdown. AMD has chosen to leave that unpatched, and put out a weaselly deflection about "it doesn't cross address boundaries" but they also still refuse to turn KPTI on by default because it would hurt their benchmarks. And without KPTI there is no address boundary to cross, that's the weaselly part. AMD very craftily made it sound like they're saying there's not an issue, but in fact they are fully confirming the finding from the researcher, including the suggested mitigation (enabling KPTI), they just don't recommend that you do it. The statement is deliberately short to avoid inclusion of too many details that might dispel these misleading impressions.

https://www.usenix.org/system/files/sec22summer_lipp.pdf

https://www.amd.com/en/resources/product-security/bulletin/a...

proof of concept: https://github.com/amdprefetch/amd-prefetch-attacks/blob/mas...

tested a few months ago and it's still working: https://news.ycombinator.com/item?id=40850526

This follows that same researcher (who previously discovered meltdown) uncovering a prior series of vulnerabilities in the cache ways predictor that also nullify KASLR... which AMD refused to patch because it "didn't leak actual data, only metadata"... the metadata being the page-table layouts. That one is still unpatched too - as the researchers note, AMD never actually mitigated this either, just more weasel words.

https://www.tomshardware.com/news/new-amd-side-channel-attac...

https://mlq.me/download/takeaway.pdf

(this one literally doesn't even seem to have a security bulletin page for itself so I guess they have fully shoved this one down the memory hole now, but here's the news item from wayback) http://web.archive.org/web/20200325045817/https://www.amd.co...

After 6+ years of watching the community defend this behavior, downplay exploits from their favorite megacorporation, etc, it just gets old. Not liking how CTS labs did it or whatever is fine. It doesn't mean there's not a serious exploit, and so often that is where people end up with these AMD exploits, they like AMD so much that they argue against the existence or significance of the exploit, attack the researchers or whine about research grants, etc.

"Does this really deserve this CVE score" is a constant refrain in AMD vuln threads and it just gets so old. As tptacek noted... intel ME vulns are frontpage news and have people asking where they can buy a processor without ME in it. Literally nobody cares that AMD has had these vulnerabilities left open and unmitigated for years and years even though they're actually worse (as judged by the researcher who found both these issues and meltdown).

People would have flipped the fuck out if Intel left meltdown unpatched and released misleading statements implying that it wasn't an issue etc. It is wild just how much AMD is playing on story-mode difficulty with the average enthusiast, and honestly most people don't even realize they're doing it. And that drives me nuts - just decide if security issues are a problem or not, and if the answer is "not" then let's just turn all the mitigations off and see how long they remain un-exploited. If we want to have the security version of the drug-assisted olympics then fine, there is value in having dragsters that just do the thing as quickly as possible, right? But the double-standard people apply to anything AMD is crazy. Talk about your "tyranny of low expectations".