[OpenRISC] Reporting the bugs in MOR1KX processor

From: Rahul Kande <rahulkande@tamu.edu>
To: openrisc@lists.librecores.org
Subject: [OpenRISC] Reporting the bugs in MOR1KX processor
Date: Mon, 13 Sep 2021 12:58:20 -0500	[thread overview]
Message-ID: <CADLGkjvOpkru6UV_5wHUFYRBHdVPHg5Wv6T8Lx3qDwELtSxCEg@mail.gmail.com> (raw)
In-Reply-To: <CADLGkjtjTVMSkLuxVqJJS_j_Z+QOP15EsQoHMQ+-_kASG7H_GA@mail.gmail.com>

Hello  Mr. Wallentowitz,

I just wanted to inform you that we have submitted the bugs to the mor1kx
bug tracker as required.

May I know if we have your acknowledgment of the bugs so that we can
include the same in our submission for the CVE listing?
Also, please let us know if you need any more information from us.

Sincerely,
Rahul

On Tue, Sep 7, 2021 at 9:48 PM Rahul Kande <rahulkande@tamu.edu> wrote:

> Hello Mr. Wallentowitz,
>
> We have opened issues for each of the bugs in the mor1kx bug tracker as
> requested.
>
> Here are the links for the issues we have opened:
> For bug 1: https://github.com/openrisc/mor1kx/issues/139
> For bug 2: https://github.com/openrisc/mor1kx/issues/140
> For bug 3: https://github.com/openrisc/mor1kx/issues/141
>
> Please let us know if the information is sufficient and acknowledge
> whether we can file CVEs for them.
>
> Sincerely,
> Rahul Kande
>
> On Fri, Sep 3, 2021 at 2:37 AM Stefan Wallentowitz <stefan@wallentowitz.de>
> wrote:
>
>> Hi,
>>
>> can you please open issues on the bugtracker?
>>
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/issues__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYoiO8JTg$
>>
>> Thanks,
>> Stefan
>>
>> On 02.09.21 20:49, Stefan Kristiansson wrote:
>> >
>> >
>> > On Thu, Sep 2, 2021 at 8:53 PM Jeyavijayan Rajendran
>> > <jeyavijayan at tamu.edu <mailto:jeyavijayan@tamu.edu>> wrote:
>> >
>> >     Dear Developers of the MOR1KX processor,
>> >
>> >     We are research teamsfrom Texas A&M University and TU Darmstadt. We
>> >     found the following bugs in your MOR1KX processor design
>> >     (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYOf67r0Q$
>> >     <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBiVlQn4uw$
>> >).
>> >
>> >     We intend to get CVE listing numbers for all these bugs to include
>> >     in our research paper. Hence, we would like to disclose these bugs
>> >     to you before we request CVE IDs.
>> >
>> >     Please respond to us by *_10th Sept 2021, 11:59 PM UTC _*with your
>> >     acknowledgment of the bugs.
>> >
>> >     In case you are not authorized to comment on the bugs, please
>> >     connect us with the right contact person or channel for this
>> matter.
>> >
>> >     Also, let us know if your processor design is one of the CNA-covered
>> >     products (
>> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezbJjp-2Xg$
>> >     <
>> https://urldefense.com/v3/__https://cve.mitre.org/cve/cna.html__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi93tT1sQ$
>> >)
>> >     so that we can include the same in our CVE listing.
>> >
>> >
>> >     Vendor of the product(s): openrisc
>> >
>> >
>> >     Bug 1:
>> >
>> >     Bug:The carry flag is incorrectly implemented for
>> subtractinstructions.
>> >
>> >     Location:  mor1kx_execute_alu.v
>> >     (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZdNKImyQ$
>> >     <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_execute_alu.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi4Qmr_iI$
>> >).
>> >
>> >     Triggering input:
>> >
>> >     //set r1=00020000 and r3=00002000
>> >
>> >          l.sub    r4,r1,r3
>> >
>> >     Expected output:
>> >
>> >                    Carry flag = 0
>> >
>> >
>> >     mor1kx output:
>> >
>> >                   Carry flag = 1
>> >
>> >
>> >
>> >     Bug 2:
>> >
>> >     Bug:The EPCR register is accessible from user mode.
>> >
>> >     Location:  mor1kx_ctrl_cappuccino.v
>> >     (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
>> >     <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
>> >).
>> >
>> >     Details: The OpenRISC specification requires that the EPCR register
>> >     be accessible only from supervisor mode.
>> >
>> >     Triggering input:
>> >
>> >     #include <stdio.h>
>> >
>> >     int main() {
>> >
>> >       // enter user mode :
>> >
>> >       asm volatile ( "l.ori r17,r0,0x0000  ");
>> >
>> >       asm volatile ( "l.mtspr r0,r17,0x3806");
>> >
>> >
>> >       asm volatile ( "l.mfspr r17,r0,0x11  ");
>> >
>> >       asm volatile ( "l.andi r17,r17,-2    ");
>> >
>> >       asm volatile ( "l.mtspr r0,r17,0x11  ");
>> >
>> >       // padding the seed code
>> >
>> >       asm volatile( "l.nop 0x0 ");
>> >
>> >       asm volatile( "l.nop 0x0 ");
>> >
>> >       asm volatile( "l.nop 0x0 ");
>> >
>> >       asm volatile( "l.nop 0x0 ");
>> >
>> >       asm volatile ("l.addi r1,r0,1");
>> >
>> >       asm volatile ("l.mfspr r2,r0,32");
>> >
>> >       asm volatile ("l.mtspr r0, r1, 32");
>> >
>> >       return 0;
>> >
>> >     }
>> >
>> >
>> >     The or1ksim fails to execute the mfspr while the mor1kx
>> >     implementation can successfully write into EPCR using the mtspr
>> >     instruction.
>> >
>> >
>> >     Bug 3:
>> >
>> >     Bug:Unable to write to the EEAR register from the supervisor mode.
>> >
>> >     Location:  mor1kx_ctrl_cappuccino.v
>> >     (
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezZmnTocIw$
>> >     <
>> https://urldefense.com/v3/__https://github.com/openrisc/mor1kx/blob/master/rtl/verilog/mor1kx_ctrl_cappuccino.v__;!!KwNVnqRv!SNshfFgKzp1a7X2JYV-4kru80LEyB-7pSHRNT2CfnwuMzUMLkGpkd-6OXtBi6Jz-sng$
>> >),
>> >     line 830 to 840.
>> >
>> >     Details: The OpenRISC specification requires that the EEAR register
>> >     be accessible from the supervisor mode but the mor1kx implementation
>> >     does not have the option to write to EEAR with the mtspr instruction
>> >     even from the supervisor mode.
>> >
>> >
>> >     Sincerely,
>> >
>> >     JV, Ahmad, Aakash, Addison, and Rahul.
>> >
>> >
>> >     --
>> >     JV Rajendran,
>> >     Assistant Professor of Electrical and Computer Engineering,
>> >     Texas A&M University.
>> >     Web: https://cesg.tamu.edu/faculty/jv/
>> >     <https://cesg.tamu.edu/faculty/jv/>
>> >
>> >
>> > _______________________________________________
>> > OpenRISC mailing list
>> > OpenRISC at lists.librecores.org
>> >
>> https://urldefense.com/v3/__https://lists.librecores.org/listinfo/openrisc__;!!KwNVnqRv!XeamcSRFA-6TeQbLLPh3DDsaf189nUEBWI3f3g8OchDHo_r7QIXO8QgYezYmyWEWww$
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.librecores.org/pipermail/openrisc/attachments/20210913/affaf30a/attachment-0001.htm>