1. Forum
  2. Usenet
  3. COMP.ARCH

  • Quite a spectacular security bug

    From John Dallman@21:1/5 to All on Tue Aug 13 17:39:00 2024
    I occasionally scan the recent RISC-V news. A year ago, I was expecting
    it to be in mass-market Android devices by the end of 2024, but that
    isn't going to happen, for assorted good reasons.

    I am quite impressed by the security bugs in Alibaba's T-Head processors, although not in a good way.

    On the C910 core, there's a flaw with use of the MMU that allows any unprivileged process running native code to write anywhere in physical
    memory, and to execute arbitrary code with kernel or machine privileges. Fortunately, this is not a RISC-V architecture bug, but a problem in
    Alibaba's nonstandard vector extensions. There appears to be no fix,
    except to disable those extensions. This may be a little hard on Scaleway,
    a French cloud provider who launched RISC-V service with great fanfare a
    few months ago.

    <https://ghostwriteattack.com/> <https://www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerab


    There's also a CPU freeze vulnerability in the C910, triggered by reading
    from virtual address 0, which seems like something you might well be able
    to do without native code.

    The C908 and C906 cores have halt-and-catch-fire vulnerabilities.

    I've just put Alibaba RISC-V on my "no way, not for a decade" list.

    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From MitchAlsup1@21:1/5 to All on Tue Aug 13 17:01:06 2024
    Given the Chinese, it might have been done on purpose.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Thomas Koenig@21:1/5 to mitchalsup@aol.com on Tue Aug 13 17:32:29 2024
    MitchAlsup1 <mitchalsup@aol.com> schrieb:

    Given the Chinese, it might have been done on purpose.

    Nah, to obvious (and too bad). Writing page tables from user
    mode... wow.

    They probably fired whoever was responsible, and he went and
    joined CrowdStrike.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Dallman@21:1/5 to mitchalsup@aol.com on Tue Aug 13 20:40:00 2024
    In article <1515942ce56ee0870311c9771eef4757@www.novabbs.org>, mitchalsup@aol.com (MitchAlsup1) wrote:

    Given the Chinese, it might have been done on purpose.

    Maybe, but the freeze on reading from address 0 looks a lot more like incompetent testing.

    Damnit, I work for an _application_ software provider, not a hardware or
    OS supplier, but I have tests for my test harness which would catch that.
    A company that doesn't find that kind of flaw is thoroughly capable of
    missing a memory management problem.

    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From MitchAlsup1@21:1/5 to John Dallman on Tue Aug 13 20:35:53 2024
    On Tue, 13 Aug 2024 19:40:00 +0000, John Dallman wrote:

    In article <1515942ce56ee0870311c9771eef4757@www.novabbs.org>, mitchalsup@aol.com (MitchAlsup1) wrote:

    Given the Chinese, it might have been done on purpose.

    Maybe, but the freeze on reading from address 0 looks a lot more like incompetent testing.

    Damnit, I work for an _application_ software provider, not a hardware or
    OS supplier, but I have tests for my test harness which would catch
    that.
    A company that doesn't find that kind of flaw is thoroughly capable of missing a memory management problem.

    Missing something as easy as that makes one wonder about how much other
    stuff testing missed ??


    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Dallman@21:1/5 to mitchalsup@aol.com on Tue Aug 13 23:21:00 2024
    In article <dd966b72384e88feb501ba3addfbc246@www.novabbs.org>, mitchalsup@aol.com (MitchAlsup1) wrote:

    On Tue, 13 Aug 2024 19:40:00 +0000, John Dallman wrote:
    A company that doesn't find that kind of flaw is thoroughly
    capable of missing a memory management problem.
    Missing something as easy as that makes one wonder about how much
    other stuff testing missed ??

    Exactly. Thinking something is too simple to need testing is a
    fundamental error.

    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From MitchAlsup1@21:1/5 to John Dallman on Wed Aug 14 01:28:06 2024
    On Tue, 13 Aug 2024 22:21:00 +0000, John Dallman wrote:

    In article <dd966b72384e88feb501ba3addfbc246@www.novabbs.org>, mitchalsup@aol.com (MitchAlsup1) wrote:

    On Tue, 13 Aug 2024 19:40:00 +0000, John Dallman wrote:
    A company that doesn't find that kind of flaw is thoroughly
    capable of missing a memory management problem.

    Missing something as easy as that makes one wonder about how much
    other stuff testing missed ??

    Exactly. Thinking something is too simple to need testing is a
    fundamental error.

    We generally budgeted:: engineering$$ == verification$$


    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Scott Lurndal@21:1/5 to mitchalsup@aol.com on Wed Aug 14 13:39:38 2024
    mitchalsup@aol.com (MitchAlsup1) writes:
    On Tue, 13 Aug 2024 22:21:00 +0000, John Dallman wrote:

    In article <dd966b72384e88feb501ba3addfbc246@www.novabbs.org>,
    mitchalsup@aol.com (MitchAlsup1) wrote:

    On Tue, 13 Aug 2024 19:40:00 +0000, John Dallman wrote:
    A company that doesn't find that kind of flaw is thoroughly
    capable of missing a memory management problem.

    Missing something as easy as that makes one wonder about how much
    other stuff testing missed ??

    Exactly. Thinking something is too simple to need testing is a
    fundamental error.

    We generally budgeted:: engineering$$ == verification$$

    Ours is closer to two verif engineers per rtl engineer, plus both
    software simulation and emulation.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)