The EPCR register is accessible from user mode

Question

The EPCR register is accessible from user mode

Rahul-Kande opened this issue 3 years ago · 3 comments

The OpenRISC specification requires that the EPCR register be accessible only from supervisor mode.
Bug location: rtl/verilog/mor1kx_ctrl_cappuccino.v

Triggering input:
#include <stdio.h>
int main() {
// enter user mode :
asm volatile ( "l.ori r17,r0,0x0000 ");
asm volatile ( "l.mtspr r0,r17,0x3806");

asm volatile ( "l.mfspr r17,r0,0x11 ");
asm volatile ( "l.andi r17,r17,-2 ");
asm volatile ( "l.mtspr r0,r17,0x11 ");
// padding the seed code
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile( "l.nop 0x0 ");
asm volatile ("l.addi r1,r0,1");
asm volatile ("l.mfspr r2,r0,32");
asm volatile ("l.mtspr r0, r1, 32");
return 0;
}

The or1ksim fails to execute the mfspr while the mor1kx implementation can successfully write into EPCR using the mtspr instruction.

Please check this bug.

Answer 1 · 2021-09-09T21:19:29.000Z

Hello, thanks for your bug report and your mail.
Mail:
https://lists.librecores.org/pipermail/openrisc/2021-September/003306.html

I think we will find a lot of registers that are missing protection in user mode. It maybe good to list them all in one place. Looking at the code I also see:

in mor1kx_ctrl_cappuccino, ESR, EVBAR, DMR1, DMR2, DSR, DRR, EEAR (as in #141)
in mor1kx_pic PICMR, PICSR
ITLB registers
DTLB registers

Answer 2 · 2021-09-09T21:22:28.000Z

I think that wile fixing these we should add a test to our or1k-tests that verifies the correctness.

Answer 3 · 2023-04-18T14:57:16.000Z

CVE-2021-41614 was assigned to this issue.