Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The OpenRISC specification requires that the EPCR register be accessible only from supervisor mode. Bug location: rtl/verilog/mor1kx_ctrl_cappuccino.v
Triggering input: #include <stdio.h> int main() { // enter user mode : asm volatile ( "l.ori r17,r0,0x0000 "); asm volatile ( "l.mtspr r0,r17,0x3806");
asm volatile ( "l.mfspr r17,r0,0x11 "); asm volatile ( "l.andi r17,r17,-2 "); asm volatile ( "l.mtspr r0,r17,0x11 "); // padding the seed code asm volatile( "l.nop 0x0 "); asm volatile( "l.nop 0x0 "); asm volatile( "l.nop 0x0 "); asm volatile( "l.nop 0x0 "); asm volatile ("l.addi r1,r0,1"); asm volatile ("l.mfspr r2,r0,32"); asm volatile ("l.mtspr r0, r1, 32"); return 0; }
The or1ksim fails to execute the mfspr while the mor1kx implementation can successfully write into EPCR using the mtspr instruction.
Please check this bug.
The text was updated successfully, but these errors were encountered:
Hello, thanks for your bug report and your mail. Mail: https://lists.librecores.org/pipermail/openrisc/2021-September/003306.html
I think we will find a lot of registers that are missing protection in user mode. It maybe good to list them all in one place. Looking at the code I also see:
Sorry, something went wrong.
I think that wile fixing these we should add a test to our or1k-tests that verifies the correctness.
CVE-2021-41614 was assigned to this issue.
No branches or pull requests
The OpenRISC specification requires that the EPCR register be accessible only from supervisor mode.
Bug location: rtl/verilog/mor1kx_ctrl_cappuccino.v
Triggering input:
#include <stdio.h>
int main() {
// enter user mode :
asm volatile ( "l.ori r17,r0,0x0000 ");
asm volatile ( "l.mtspr r0,r17,0x3806");
asm volatile ( "l.mfspr r17,r0,0x11 ");
asm volatile ( "l.andi r17,r17,-2 ");
asm volatile ( "l.mtspr r0,r17,0x11 ");
// padding the seed code
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile ("l.addi r1,r0,1");
asm volatile ("l.mfspr r2,r0,32");
asm volatile ("l.mtspr r0, r1, 32");
return 0;
}
The or1ksim fails to execute the mfspr while the mor1kx implementation can successfully write into EPCR using the mtspr instruction.
Please check this bug.
The text was updated successfully, but these errors were encountered: