CVE-2021-41612: New vulnerabilities detected by our hardware fuzzer, TheHuzz

Our hardware fuzzer TheHuzz detected eight new vulnerabilities of which five of them are assigned with CVEs: CVE-2021-40506, CVE-2021-40507, CVE-2021-41612, CVE-2021-41614, and CVE-2021-41613. These bugs are listed in Table 1 on page 10 of the TheHuzz paper. For your convenience, here is the mapping between the bugs in the paper and the CVEs assigned to the bugs:

• CVE-2021-41612 –> B5: Incorrect implementation of the logic to generate the carry flag
• CVE-2021-41614 –> B6: Read/write access checking not implemented for privileged register
• CVE-2021-41613 –> B7: Incomplete implementation of EEAR register write logic
• CVE-2021-40506 –> B9: Incomplete update logic of overflow bit for MSB & MAC instructions
• CVE-2021-40507 –> B10: Incorrect implementation of the logic to generate the overflow flag

Here is a detailed description of these five vulnerabilities:

Fields

B5 (CVE-2021-41612)

B6 (CVE-2021-41614)

B7 (CVE-2021-41613)

CNA-covered product?

No

No

No

Is this an existing CVE?

No

No

No

Vulnerability type

CWE-1201: Core and Compute Issues – (1201)

CWE-1198: Privilege Separation and Access Control Issues – (1198)

CWE-1201: Core and Compute Issues – (1201)

Vendor of the product

openRISC

openRISC

openRISC

Affected product(s)/ code base

mor1kx processor (https://github.com/openrisc/mor1kx).
From commit ID 95eee0596a160ffdfd8ee6bc8b88268b2e49ec5e to commit ID 76ea4e8c3fd64e8c6d346ea391b8fd5c95b4f351 on master branch are affected.

mor1kx processor (https://github.com/openrisc/mor1kx).
From commit ID 95eee0596a160ffdfd8ee6bc8b88268b2e49ec5e to commit ID e51654a40c49d0bc0ff30f1a8d8586c7dd443a08 on master branch are affected.

mor1kx processor (https://github.com/openrisc/mor1kx).
From commit ID 95eee0596a160ffdfd8ee6bc8b88268b2e49ec5e to commit ID e51654a40c49d0bc0ff30f1a8d8586c7dd443a08 on master branch are affected.

Has vendor confirmed or acknowledged the vulnerability?

Yes

Yes

Yes

Attack type

Context-dependent

Local

Context-dependent

Impact

Data or control flow corruption

Escalation of Privileges

Data or control flow corruption

Affected component(s)

ALU of the processor

Privilege registers of the processor

Privilege registers of the processor

Attack vector(s)

Any software code using the carry flag value in its control or data path following the subtract instructions can be used as a source of corruption in execution.

The return from exception (rfe) instruction causes the processor to jump to the location stored in EPCR register and restores the privilege state of the processor with the value stored in Exception Status Register (ESR).

The attacker can set EPCR with the exploit code location while the processor privilege stored in ESR is machine mode and execute the rfe instruction.
This can cause privilege escalation and execution of attacker exploit code in the machine mode.

EEAR stores the effective address (EA) of the instruction that caused an exception. Any exception handling routine that writes to EEAR will be ineffective as the data cannot be written to EEAR.

Suggested description of the vulnerability for use in the CVE

An issue was discovered in the ALU unit of the mor1kx processor. The carry flag is not being updated correctly for the subtract instruction, which results in an incorrect value of the carry flag. Any software that relies on this flag may experience corruption in execution.

An issue was discovered in the controller unit of the mor1kx processor. The read/write access permissions to the Exception Program Counter Register (EPCR) are not implemented correctly. User programs from unauthorized privilege level can make read/write accesses to EPCR.

An issue was discovered in the controller unit of the mor1kx processor. The write logic of Exception Effective Address Register (EEAR) is not implemented correctly. User programs with authorized privilege level will be unable to write to EEAR.

Github issue

https://github.com/openrisc/mor1kx/issues/139

https://github.com/openrisc/mor1kx/issues/140

https://github.com/openrisc/mor1kx/issues/141

Additional information

Location: mor1kx_execute_alu.v (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v).

Triggering input:

//set r1=00020000 and r3=00002000

 l.sub    r4,r1,r3 

Expected output:

           Carry flag = 0

mor1kx output:

          Carry flag = 1

Location: mor1kx_ctrl_cappuccino.v (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v).

Details: The OpenRISC specification requires that the EPCR register be accessible only from supervisor mode.

Triggering input:

#include <stdio.h>

int main() {

// enter user mode :

asm volatile ( “l.ori r17,r0,0x0000 “);

asm volatile ( “l.mtspr r0,r17,0x3806”);

asm volatile ( “l.mfspr r17,r0,0x11 “);

asm volatile ( “l.andi r17,r17,-2 “);

asm volatile ( “l.mtspr r0,r17,0x11 “);

// padding the seed code

asm volatile( “l.nop 0x0 “);

asm volatile( “l.nop 0x0 “);

asm volatile( “l.nop 0x0 “);

asm volatile( “l.nop 0x0 “);

asm volatile (“l.addi r1,r0,1”);

asm volatile (“l.mfspr r2,r0,32”);

asm volatile (“l.mtspr r0, r1, 32”);

return 0;

}

The or1ksim fails to execute the mfspr while the mor1kx implementation can successfully write into EPCR using the mtspr instruction.

Location: mor1kx_ctrl_cappuccino.v (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v), line 830 to 840.

Details: The OpenRISC specification requires that the EEAR register be accessible from the supervisor mode but the mor1kx implementation does not have the option to write to EEAR with the mtspr instruction even from the supervisor mode.

Fields

B9 (CVE-2021-40506)

B10 (CVE-2021-40507)

CNA-covered product?

No

No

Is this an existing CVE?

No

No

Vulnerability type

CWE-1201: Core and Compute Issues – (1201)

CWE-1201: Core and Compute Issues – (1201)

Vendor of the product

openRISC

openRISC

Affected product(s)/ code base

OR1200 processor

OR1200 processor

Has vendor confirmed or acknowledged the vulnerability?

Yes

Yes

Attack type (Context-dependent/local/physical/remote/other)

Context-dependent

Context-dependent

Impact (Code execution/Information disclosure/Denial of Service/other/escalation of privileges)

Other (Data or control flow corruption)

Other (Data or control flow corruption)

Affected component(s)

ALU of the processor

ALU of the processor

Attack vector(s)

Any software code using the overflow flag value in its control or data path following the msb or mac instructions can be used as a source of corruption in execution.

Any software code using the overflow flag value in its control or data path following the subtract instruction can be used as a source of corruption in execution.

Suggested description of the vulnerability for use in the CVE

An issue was discovered in the ALU unit of the OR1200 processor. The overflow flag is not being updated for the msb and mac instructions which results in an incorrect value in the overflow flag.

An issue was discovered in the ALU unit of the OR1200 processor. The overflow flag is not being updated correctly for the subtract instruction which results in an incorrect value in the overflow flag.

Additional information

Location: or1200_alu.v (https://github.com/openrisc/or1200/blob/master/rtl/verilog/or1200_alu.v), line 357 to 376Details: It can be seen in the always block that the overflow bit is only updated for the add and sub instructions. Triggering input: l.add r1, r0, r0l.add r2, r0, r0l.macrc r3l.div r4, r1, r2l.msb r1, r2

Expected output:

MACHI = 0

MACLO = 0

r1 = 0

r2 = 0

Overflow = 0

or1200 output:

MACHI = 0

MACLO = 0

r1 = 0

r2 = 0

Overflow = 1

Location: or1200_alu.v (https://github.com/openrisc/or1200/blob/master/rtl/verilog/or1200_alu.v), line 171 to 178

Details: The logic used to compute the overflow flag is incorrect for certain values of operands of the subtract instructions.

Triggering input:

l.add r1, r0, r0

l.addi r2, r0, 0x47d4

l.sub r3, r1, r2

Expected output:

r1 = 0

r2 = 0x47d4

r3 = 0xffffb82c

Overflow = 0

or1200 output:

r1 = 0

r2 = 0x47d4

r3 = 0xffffb82c

Overflow = 1