* [OpenRISC] Reporting the bugs in MOR1KX processor
[not found] <CAPV5DU64Hja40XHgvUz2ph7gcBtNWinUNH633vCfxH7vxEvshA@mail.gmail.com>
@ 2021-09-02 18:49 ` Stefan Kristiansson
2021-09-03 7:36 ` Stefan Wallentowitz
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Kristiansson @ 2021-09-02 18:49 UTC (permalink / raw)
To: openrisc
On Thu, Sep 2, 2021 at 8:53 PM Jeyavijayan Rajendran <jeyavijayan@tamu.edu>
wrote:
> Dear Developers of the MOR1KX processor,
>
> We are research teams from Texas A&M University and TU Darmstadt. We
> found the following bugs in your MOR1KX processor design (
> https://github.com/openrisc/mor1kx
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBiVlQn4uw$>
> ).
>
> We intend to get CVE listing numbers for all these bugs to include in our
> research paper. Hence, we would like to disclose these bugs to you before
> we request CVE IDs.
>
> Please respond to us by *10th Sept 2021, 11:59 PM UTC *with your
> acknowledgment of the bugs.
>
> In case you are not authorized to comment on the bugs, please connect us
> with the right contact person or channel for this matter.
>
> Also, let us know if your processor design is one of the CNA-covered
> products (https://cve.mitre.org/cve/cna.html
> <https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi93tT1sQ$>)
> so that we can include the same in our CVE listing.
>
>
> Vendor of the product(s): openrisc
>
>
> Bug 1:
>
> Bug: The carry flag is incorrectly implemented for subtract instructions.
>
> Location: mor1kx_execute_alu.v (
> https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi4Qmr_iI$>
> ).
>
> Triggering input:
>
> //set r1=00020000 and r3=00002000
>
> l.sub r4,r1,r3
>
> Expected output:
>
> Carry flag = 0
>
>
> mor1kx output:
>
> Carry flag = 1
>
>
>
> Bug 2:
>
> Bug: The EPCR register is accessible from user mode.
>
> Location: mor1kx_ctrl_cappuccino.v (
> https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$>
> ).
>
> Details: The OpenRISC specification requires that the EPCR register be
> accessible only from supervisor mode.
>
> Triggering input:
>
> #include <stdio.h>
>
> int main() {
>
> // enter user mode :
>
> asm volatile ( "l.ori r17,r0,0x0000 ");
>
> asm volatile ( "l.mtspr r0,r17,0x3806");
>
>
> asm volatile ( "l.mfspr r17,r0,0x11 ");
>
> asm volatile ( "l.andi r17,r17,-2 ");
>
> asm volatile ( "l.mtspr r0,r17,0x11 ");
>
> // padding the seed code
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile ("l.addi r1,r0,1");
>
> asm volatile ("l.mfspr r2,r0,32");
>
> asm volatile ("l.mtspr r0, r1, 32");
>
> return 0;
>
> }
>
>
> The or1ksim fails to execute the mfspr while the mor1kx implementation
> can successfully write into EPCR using the mtspr instruction.
>
>
> Bug 3:
>
> Bug: Unable to write to the EEAR register from the supervisor mode.
>
> Location: mor1kx_ctrl_cappuccino.v (
> https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$>),
> line 830 to 840.
>
> Details: The OpenRISC specification requires that the EEAR register be
> accessible from the supervisor mode but the mor1kx implementation does not
> have the option to write to EEAR with the mtspr instruction even from the
> supervisor mode.
>
>
> Sincerely,
>
> JV, Ahmad, Aakash, Addison, and Rahul.
>
> --
> JV Rajendran,
> Assistant Professor of Electrical and Computer Engineering,
> Texas A&M University.
> Web: https://cesg.tamu.edu/faculty/jv/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.librecores.org/pipermail/openrisc/attachments/20210902/0a00529f/attachment-0001.htm>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [OpenRISC] Reporting the bugs in MOR1KX processor
2021-09-02 18:49 ` [OpenRISC] Reporting the bugs in MOR1KX processor Stefan Kristiansson
@ 2021-09-03 7:36 ` Stefan Wallentowitz
2021-09-08 2:48 ` Rahul Kande
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Wallentowitz @ 2021-09-03 7:36 UTC (permalink / raw)
To: openrisc
Hi,
can you please open issues on the bugtracker?
https://github.com/openrisc/mor1kx/issues
Thanks,
Stefan
On 02.09.21 20:49, Stefan Kristiansson wrote:
>
>
> On Thu, Sep 2, 2021 at 8:53 PM Jeyavijayan Rajendran
> <jeyavijayan at tamu.edu <mailto:jeyavijayan@tamu.edu>> wrote:
>
> Dear Developers of the MOR1KX processor,
>
> We are research teamsfrom Texas A&M University and TU Darmstadt. We
> found the following bugs in your MOR1KX processor design
> (https://github.com/openrisc/mor1kx
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBiVlQn4uw$>).
>
> We intend to get CVE listing numbers for all these bugs to include
> in our research paper. Hence, we would like to disclose these bugs
> to you before we request CVE IDs.
>
> Please respond to us by *_10th Sept 2021, 11:59 PM UTC _*with your
> acknowledgment of the bugs.
>
> In case you are not authorized to comment on the bugs, please
> connect us with the right contact person or channel for this matter.
>
> Also, let us know if your processor design is one of the CNA-covered
> products (https://cve.mitre.org/cve/cna.html
> <https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi93tT1sQ$>)
> so that we can include the same in our CVE listing.
>
>
> Vendor of the product(s): openrisc
>
>
> Bug 1:
>
> Bug:The carry flag is incorrectly implemented for subtractinstructions.
>
> Location: mor1kx_execute_alu.v
> (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi4Qmr_iI$>).
>
> Triggering input:
>
> //set r1=00020000 and r3=00002000
>
> l.sub r4,r1,r3
>
> Expected output:
>
> Carry flag = 0
>
>
> mor1kx output:
>
> Carry flag = 1
>
>
>
> Bug 2:
>
> Bug:The EPCR register is accessible from user mode.
>
> Location: mor1kx_ctrl_cappuccino.v
> (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$>).
>
> Details: The OpenRISC specification requires that the EPCR register
> be accessible only from supervisor mode.
>
> Triggering input:
>
> #include <stdio.h>
>
> int main() {
>
> // enter user mode :
>
> asm volatile ( "l.ori r17,r0,0x0000 ");
>
> asm volatile ( "l.mtspr r0,r17,0x3806");
>
>
> asm volatile ( "l.mfspr r17,r0,0x11 ");
>
> asm volatile ( "l.andi r17,r17,-2 ");
>
> asm volatile ( "l.mtspr r0,r17,0x11 ");
>
> // padding the seed code
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile( "l.nop 0x0 ");
>
> asm volatile ("l.addi r1,r0,1");
>
> asm volatile ("l.mfspr r2,r0,32");
>
> asm volatile ("l.mtspr r0, r1, 32");
>
> return 0;
>
> }
>
>
> The or1ksim fails to execute the mfspr while the mor1kx
> implementation can successfully write into EPCR using the mtspr
> instruction.
>
>
> Bug 3:
>
> Bug:Unable to write to the EEAR register from the supervisor mode.
>
> Location: mor1kx_ctrl_cappuccino.v
> (https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v
> <https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$>),
> line 830 to 840.
>
> Details: The OpenRISC specification requires that the EEAR register
> be accessible from the supervisor mode but the mor1kx implementation
> does not have the option to write to EEAR with the mtspr instruction
> even from the supervisor mode.
>
>
> Sincerely,
>
> JV, Ahmad, Aakash, Addison, and Rahul.
>
>
> --
> JV Rajendran,
> Assistant Professor of Electrical and Computer Engineering,
> Texas A&M University.
> Web: https://cesg.tamu.edu/faculty/jv/
> <https://cesg.tamu.edu/faculty/jv/>
>
>
> _______________________________________________
> OpenRISC mailing list
> OpenRISC at lists.librecores.org
> https://lists.librecores.org/listinfo/openrisc
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [OpenRISC] Reporting the bugs in MOR1KX processor
2021-09-03 7:36 ` Stefan Wallentowitz
@ 2021-09-08 2:48 ` Rahul Kande
2021-09-13 17:58 ` Rahul Kande
0 siblings, 1 reply; 4+ messages in thread
From: Rahul Kande @ 2021-09-08 2:48 UTC (permalink / raw)
To: openrisc
Hello Mr. Wallentowitz,
We have opened issues for each of the bugs in the mor1kx bug tracker as
requested.
Here are the links for the issues we have opened:
For bug 1: https://github.com/openrisc/mor1kx/issues/139
For bug 2: https://github.com/openrisc/mor1kx/issues/140
For bug 3: https://github.com/openrisc/mor1kx/issues/141
Please let us know if the information is sufficient and acknowledge whether
we can file CVEs for them.
Sincerely,
Rahul Kande
On Fri, Sep 3, 2021 at 2:37 AM Stefan Wallentowitz <stefan@wallentowitz.de>
wrote:
> Hi,
>
> can you please open issues on the bugtracker?
>
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/issues__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYoiO8JTg$
>
> Thanks,
> Stefan
>
> On 02.09.21 20:49, Stefan Kristiansson wrote:
> >
> >
> > On Thu, Sep 2, 2021 at 8:53 PM Jeyavijayan Rajendran
> > <jeyavijayan at tamu.edu <mailto:jeyavijayan@tamu.edu>> wrote:
> >
> > Dear Developers of the MOR1KX processor,
> >
> > We are research teamsfrom Texas A&M University and TU Darmstadt. We
> > found the following bugs in your MOR1KX processor design
> > (
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYOf67r0Q$
> > <
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBiVlQn4uw$
> >).
> >
> > We intend to get CVE listing numbers for all these bugs to include
> > in our research paper. Hence, we would like to disclose these bugs
> > to you before we request CVE IDs.
> >
> > Please respond to us by *_10th Sept 2021, 11:59 PM UTC _*with your
> > acknowledgment of the bugs.
> >
> > In case you are not authorized to comment on the bugs, please
> > connect us with the right contact person or channel for this matter.
>
> >
> > Also, let us know if your processor design is one of the CNA-covered
> > products (
> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezbJjp-2Xg$
> > <
> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi93tT1sQ$
> >)
> > so that we can include the same in our CVE listing.
> >
> >
> > Vendor of the product(s): openrisc
> >
> >
> > Bug 1:
> >
> > Bug:The carry flag is incorrectly implemented for
> subtractinstructions.
> >
> > Location: mor1kx_execute_alu.v
> > (
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZdNKImyQ$
> > <
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi4Qmr_iI$
> >).
> >
> > Triggering input:
> >
> > //set r1=00020000 and r3=00002000
> >
> > l.sub r4,r1,r3
> >
> > Expected output:
> >
> > Carry flag = 0
> >
> >
> > mor1kx output:
> >
> > Carry flag = 1
> >
> >
> >
> > Bug 2:
> >
> > Bug:The EPCR register is accessible from user mode.
> >
> > Location: mor1kx_ctrl_cappuccino.v
> > (
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
> > <
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
> >).
> >
> > Details: The OpenRISC specification requires that the EPCR register
> > be accessible only from supervisor mode.
> >
> > Triggering input:
> >
> > #include <stdio.h>
> >
> > int main() {
> >
> > // enter user mode :
> >
> > asm volatile ( "l.ori r17,r0,0x0000 ");
> >
> > asm volatile ( "l.mtspr r0,r17,0x3806");
> >
> >
> > asm volatile ( "l.mfspr r17,r0,0x11 ");
> >
> > asm volatile ( "l.andi r17,r17,-2 ");
> >
> > asm volatile ( "l.mtspr r0,r17,0x11 ");
> >
> > // padding the seed code
> >
> > asm volatile( "l.nop 0x0 ");
> >
> > asm volatile( "l.nop 0x0 ");
> >
> > asm volatile( "l.nop 0x0 ");
> >
> > asm volatile( "l.nop 0x0 ");
> >
> > asm volatile ("l.addi r1,r0,1");
> >
> > asm volatile ("l.mfspr r2,r0,32");
> >
> > asm volatile ("l.mtspr r0, r1, 32");
> >
> > return 0;
> >
> > }
> >
> >
> > The or1ksim fails to execute the mfspr while the mor1kx
> > implementation can successfully write into EPCR using the mtspr
> > instruction.
> >
> >
> > Bug 3:
> >
> > Bug:Unable to write to the EEAR register from the supervisor mode.
> >
> > Location: mor1kx_ctrl_cappuccino.v
> > (
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
> > <
> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
> >),
> > line 830 to 840.
> >
> > Details: The OpenRISC specification requires that the EEAR register
> > be accessible from the supervisor mode but the mor1kx implementation
> > does not have the option to write to EEAR with the mtspr instruction
> > even from the supervisor mode.
> >
> >
> > Sincerely,
> >
> > JV, Ahmad, Aakash, Addison, and Rahul.
> >
> >
> > --
> > JV Rajendran,
> > Assistant Professor of Electrical and Computer Engineering,
> > Texas A&M University.
> > Web: https://cesg.tamu.edu/faculty/jv/
> > <https://cesg.tamu.edu/faculty/jv/>
> >
> >
> > _______________________________________________
> > OpenRISC mailing list
> > OpenRISC at lists.librecores.org
> >
> https://urldefense.com/v3/__https://lists.librecores.org/listinfo/openrisc__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYmyWEWww$
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.librecores.org/pipermail/openrisc/attachments/20210907/e1653ddf/attachment.htm>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [OpenRISC] Reporting the bugs in MOR1KX processor
2021-09-08 2:48 ` Rahul Kande
@ 2021-09-13 17:58 ` Rahul Kande
0 siblings, 0 replies; 4+ messages in thread
From: Rahul Kande @ 2021-09-13 17:58 UTC (permalink / raw)
To: openrisc
Hello Mr. Wallentowitz,
I just wanted to inform you that we have submitted the bugs to the mor1kx
bug tracker as required.
May I know if we have your acknowledgment of the bugs so that we can
include the same in our submission for the CVE listing?
Also, please let us know if you need any more information from us.
Sincerely,
Rahul
On Tue, Sep 7, 2021 at 9:48 PM Rahul Kande <rahulkande@tamu.edu> wrote:
> Hello Mr. Wallentowitz,
>
> We have opened issues for each of the bugs in the mor1kx bug tracker as
> requested.
>
> Here are the links for the issues we have opened:
> For bug 1: https://github.com/openrisc/mor1kx/issues/139
> For bug 2: https://github.com/openrisc/mor1kx/issues/140
> For bug 3: https://github.com/openrisc/mor1kx/issues/141
>
> Please let us know if the information is sufficient and acknowledge
> whether we can file CVEs for them.
>
> Sincerely,
> Rahul Kande
>
> On Fri, Sep 3, 2021 at 2:37 AM Stefan Wallentowitz <stefan@wallentowitz.de>
> wrote:
>
>> Hi,
>>
>> can you please open issues on the bugtracker?
>>
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/issues__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYoiO8JTg$
>>
>> Thanks,
>> Stefan
>>
>> On 02.09.21 20:49, Stefan Kristiansson wrote:
>> >
>> >
>> > On Thu, Sep 2, 2021 at 8:53 PM Jeyavijayan Rajendran
>> > <jeyavijayan at tamu.edu <mailto:jeyavijayan@tamu.edu>> wrote:
>> >
>> > Dear Developers of the MOR1KX processor,
>> >
>> > We are research teamsfrom Texas A&M University and TU Darmstadt. We
>> > found the following bugs in your MOR1KX processor design
>> > (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYOf67r0Q$
>> > <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBiVlQn4uw$
>> >).
>> >
>> > We intend to get CVE listing numbers for all these bugs to include
>> > in our research paper. Hence, we would like to disclose these bugs
>> > to you before we request CVE IDs.
>> >
>> > Please respond to us by *_10th Sept 2021, 11:59 PM UTC _*with your
>> > acknowledgment of the bugs.
>> >
>> > In case you are not authorized to comment on the bugs, please
>> > connect us with the right contact person or channel for this
>> matter.
>> >
>> > Also, let us know if your processor design is one of the CNA-covered
>> > products (
>> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezbJjp-2Xg$
>> > <
>> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi93tT1sQ$
>> >)
>> > so that we can include the same in our CVE listing.
>> >
>> >
>> > Vendor of the product(s): openrisc
>> >
>> >
>> > Bug 1:
>> >
>> > Bug:The carry flag is incorrectly implemented for
>> subtractinstructions.
>> >
>> > Location: mor1kx_execute_alu.v
>> > (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZdNKImyQ$
>> > <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi4Qmr_iI$
>> >).
>> >
>> > Triggering input:
>> >
>> > //set r1=00020000 and r3=00002000
>> >
>> > l.sub r4,r1,r3
>> >
>> > Expected output:
>> >
>> > Carry flag = 0
>> >
>> >
>> > mor1kx output:
>> >
>> > Carry flag = 1
>> >
>> >
>> >
>> > Bug 2:
>> >
>> > Bug:The EPCR register is accessible from user mode.
>> >
>> > Location: mor1kx_ctrl_cappuccino.v
>> > (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
>> > <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
>> >).
>> >
>> > Details: The OpenRISC specification requires that the EPCR register
>> > be accessible only from supervisor mode.
>> >
>> > Triggering input:
>> >
>> > #include <stdio.h>
>> >
>> > int main() {
>> >
>> > // enter user mode :
>> >
>> > asm volatile ( "l.ori r17,r0,0x0000 ");
>> >
>> > asm volatile ( "l.mtspr r0,r17,0x3806");
>> >
>> >
>> > asm volatile ( "l.mfspr r17,r0,0x11 ");
>> >
>> > asm volatile ( "l.andi r17,r17,-2 ");
>> >
>> > asm volatile ( "l.mtspr r0,r17,0x11 ");
>> >
>> > // padding the seed code
>> >
>> > asm volatile( "l.nop 0x0 ");
>> >
>> > asm volatile( "l.nop 0x0 ");
>> >
>> > asm volatile( "l.nop 0x0 ");
>> >
>> > asm volatile( "l.nop 0x0 ");
>> >
>> > asm volatile ("l.addi r1,r0,1");
>> >
>> > asm volatile ("l.mfspr r2,r0,32");
>> >
>> > asm volatile ("l.mtspr r0, r1, 32");
>> >
>> > return 0;
>> >
>> > }
>> >
>> >
>> > The or1ksim fails to execute the mfspr while the mor1kx
>> > implementation can successfully write into EPCR using the mtspr
>> > instruction.
>> >
>> >
>> > Bug 3:
>> >
>> > Bug:Unable to write to the EEAR register from the supervisor mode.
>> >
>> > Location: mor1kx_ctrl_cappuccino.v
>> > (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
>> > <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
>> >),
>> > line 830 to 840.
>> >
>> > Details: The OpenRISC specification requires that the EEAR register
>> > be accessible from the supervisor mode but the mor1kx implementation
>> > does not have the option to write to EEAR with the mtspr instruction
>> > even from the supervisor mode.
>> >
>> >
>> > Sincerely,
>> >
>> > JV, Ahmad, Aakash, Addison, and Rahul.
>> >
>> >
>> > --
>> > JV Rajendran,
>> > Assistant Professor of Electrical and Computer Engineering,
>> > Texas A&M University.
>> > Web: https://cesg.tamu.edu/faculty/jv/
>> > <https://cesg.tamu.edu/faculty/jv/>
>> >
>> >
>> > _______________________________________________
>> > OpenRISC mailing list
>> > OpenRISC at lists.librecores.org
>> >
>> https://urldefense.com/v3/__https://lists.librecores.org/listinfo/openrisc__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYmyWEWww$
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.librecores.org/pipermail/openrisc/attachments/20210913/affaf30a/attachment-0001.htm>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-13 17:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAPV5DU64Hja40XHgvUz2ph7gcBtNWinUNH633vCfxH7vxEvshA@mail.gmail.com>
2021-09-02 18:49 ` [OpenRISC] Reporting the bugs in MOR1KX processor Stefan Kristiansson
2021-09-03 7:36 ` Stefan Wallentowitz
2021-09-08 2:48 ` Rahul Kande
2021-09-13 17:58 ` Rahul Kande
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.