CVE-2021-40506: Overflow Flag Issue in ALU Unit of OR120 Processor Leads to Potential Data Corruption

A critical vulnerability (CVE-2021-40506) has been discovered in the Arithmetic Logic Unit (ALU) of the OR120 (OpenRISC 120) processor. This issue affects all processor revisions from 2011-09-10 to 2015-11-11. The vulnerability lies in the improper updating of the overflow flag for the msb (most significant bit) and mac (multiply-accumulate) instructions, which results in an incorrect value being stored in the flag. Any software that relies on this flag might experience corruption during execution, potentially leading to improper outputs and even crashes. This post investigates the details of the vulnerability, provides code snippets showcasing the issue, links to original references, and outlines exploit details.

Vulnerability Details

In the OR120 processor's ALU, an issue has been found where the overflow flag is not properly updated for msb and mac instructions. This error results in an incorrect value in the overflow flag, which can then propagate to other parts of the processor and affect the execution of programs.

The following code snippet demonstrates that the overflow flag is not updated for the msb instruction:

void test_msb_overflow() {
    int a = x7FFFFFFF;
    int b = x10000000;
    int result;

    asm("msb %, %1, %2"
        : "=r"(result)
        : "r"(a), "r"(b)
    );

    printf("MSB overflow test: a = x%X, b = x%X, result = x%X\n", a, b, result);
    // Expected overflow flag value: 1
}

The expected overflow flag value after this msb operation would be 1, but due to the vulnerability, this will not be the case. Similarly, the overflow flag is not updated for the mac instruction, as shown in the following code snippet:

void test_mac_overflow() {
    int a = x7FFFFFFF;
    int b = x10000000;
    int accumulator = ;
    int result;

    asm("l.mac %"
        : /* no outputs */
        : "r"(accumulator)
    );

    asm("mac %, %1"
        : "=r"(result)
        : "r"(a), "r"(b)
    );

    printf("MAC overflow test: a = x%X, b = x%X, result = x%X\n", a, b, result);
    // Expected overflow flag value: 1
}

In this case, the expected overflow flag value should also be 1, but the incorrect value will be present due to the vulnerability.

Exploit Details

As mentioned earlier, any software or algorithms that rely on the overflow flag for accurate execution may experience data corruption and unintended behavior. Exploiting this vulnerability can be achieved by crafting specific inputs that trigger the overflow condition and subsequently make use of the incorrect flag value to manipulate the program flow and cause data corruption.

Original References

The issue was recorded in various bug trackers and security reports, including CVE-2021-40506 from the MITRE Corporation and the National Vulnerability Database (NVD). Additional details about the affected processor - the OpenRISC 120 - can be found at the OpenCores website.

Conclusion

The CVE-2021-40506 vulnerability in the ALU of the OR120 processor poses a serious risk for any software that relies on the overflow flag for proper execution. While no known instances of this vulnerability being exploited in the wild have been reported, developers and users must remain vigilant and stay up-to-date on any future patches and updates to address this issue.

Timeline

Published on: 04/18/2023 12:15:00 UTC
Last modified on: 04/27/2023 15:41:00 UTC