Headline
CVE-2021-41614: The EPCR register is accessible from user mode · Issue #140 · openrisc/mor1kx
An issue was discovered in the controller unit of the OpenRISC mor1kx processor. The read/write access permissions to the Exception Program Counter Register (EPCR) are not implemented correctly. User programs from an unauthorized privilege level can make read/write accesses to EPCR.
The OpenRISC specification requires that the EPCR register be accessible only from supervisor mode.
Bug location: rtl/verilog/mor1kx_ctrl_cappuccino.v
Triggering input:
#include <stdio.h>
int main() {
// enter user mode :
asm volatile ( "l.ori r17,r0,0x0000 ");
asm volatile ( “l.mtspr r0,r17,0x3806”);
asm volatile ( "l.mfspr r17,r0,0x11 ");
asm volatile ( "l.andi r17,r17,-2 ");
asm volatile ( "l.mtspr r0,r17,0x11 ");
// padding the seed code
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile (“l.addi r1,r0,1”);
asm volatile (“l.mfspr r2,r0,32”);
asm volatile (“l.mtspr r0, r1, 32”);
return 0;
}
The or1ksim fails to execute the mfspr while the mor1kx implementation can successfully write into EPCR using the mtspr instruction.
Please check this bug.
Related news
An issue was discovered in the ALU unit of the OpenRISC mor1kx processor. The carry flag is not being updated correctly for the subtract instruction, which results in an incorrect value of the carry flag. Any software that relies on this flag may experience corruption in execution.