Sujet : Quite a spectacular security bug
De : jgd (at) *nospam* cix.co.uk (John Dallman)
Groupes : comp.archDate : 13. Aug 2024, 17:39:08
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <memo.20240813173946.20940Y@jgd.cix.co.uk>
I occasionally scan the recent RISC-V news. A year ago, I was expecting
it to be in mass-market Android devices by the end of 2024, but that
isn't going to happen, for assorted good reasons.
I am quite impressed by the security bugs in Alibaba's T-Head processors,
although not in a good way.
On the C910 core, there's a flaw with use of the MMU that allows any
unprivileged process running native code to write anywhere in physical
memory, and to execute arbitrary code with kernel or machine privileges.
Fortunately, this is not a RISC-V architecture bug, but a problem in
Alibaba's nonstandard vector extensions. There appears to be no fix,
except to disable those extensions. This may be a little hard on Scaleway,
a French cloud provider who launched RISC-V service with great fanfare a
few months ago.
<
https://ghostwriteattack.com/>
<
https://www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerable/>
There's also a CPU freeze vulnerability in the C910, triggered by reading
from virtual address 0, which seems like something you might well be able
to do without native code.
The C908 and C906 cores have halt-and-catch-fire vulnerabilities.
I've just put Alibaba RISC-V on my "no way, not for a decade" list.
John