Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jgd@cix.co.uk (John Dallman)
Newsgroups: comp.arch
Subject: Quite a spectacular security bug
Date: Tue, 13 Aug 2024 17:39 +0100 (BST)
Organization: A noiseless patient Spider
Lines: 29
Message-ID: <memo.20240813173946.20940Y@jgd.cix.co.uk>
Reply-To: jgd@cix.co.uk
Injection-Date: Tue, 13 Aug 2024 18:39:46 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="1ff2dbfa950121735ddd016b3f63b4a2";
	logging-data="4180312"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18UFd5DwMBBqcvNlSOmqaciswrrp1zQA14="
Cancel-Lock: sha1:LwK8sRu00YR+yg5oRUZ4utP/h0k=
X-Clacks-Overhead-header: GNU Terry Pratchett
Bytes: 2082

I occasionally scan the recent RISC-V news. A year ago, I was expecting
it to be in mass-market Android devices by the end of 2024, but that
isn't going to happen, for assorted good reasons. 

I am quite impressed by the security bugs in Alibaba's T-Head processors,
although not in a good way. 

On the C910 core, there's a flaw with use of the MMU that allows any
unprivileged process running native code to write anywhere in physical
memory, and to execute arbitrary code with kernel or machine privileges.
Fortunately, this is not a RISC-V architecture bug, but a problem in
Alibaba's nonstandard vector extensions. There appears to be no fix,
except to disable those extensions. This may be a little hard on Scaleway,
a French cloud provider who launched RISC-V service with great fanfare a
few months ago. 

<https://ghostwriteattack.com/>
<https://www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerab
le/>

There's also a CPU freeze vulnerability in the C910, triggered by reading
from virtual address 0, which seems like something you might well be able
to do without native code. 

The C908 and C906 cores have halt-and-catch-fire vulnerabilities. 

I've just put Alibaba RISC-V on my "no way, not for a decade" list. 

John