Skip to content

arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y

Critical
ceolin published GHSA-jjf3-7x72-pqm9 Nov 15, 2024

Package

Zephyr (Zephyr)

Affected versions

<=3.7

Patched versions

None

Description

Summary

When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

zephyr/include/zephyr/arch/riscv/common/linker.ld

Lines 305 to 319 in c0a0e6a

#ifdef CONFIG_RISCV_GP
/*
* RISC-V architecture has 12-bit signed immediate offsets in the
* instructions. If we can put the most commonly accessed globals
* in a special 4K span of memory addressed by the GP register, then
* we can access those values in a single instruction, saving both
* codespace and runtime.
*
* Since these immediate offsets are signed, place gp 0x800 past the
* beginning of .sdata so that we can use both positive and negative
* offsets.
*/
. = ALIGN(8);
PROVIDE (__global_pointer$ = . + 0x800);
#endif

However, the gp reg is not protected against write from userspace, this means that a rogue userspace can corrupt the gp reg, and cause the compiled instruction to access random addresses.

Expected behavior

The gp register should remain a constant.

Environment (please complete the following information):

  • Toolchain (e.g Zephyr SDK, ...): 0.16.8
  • Commit SHA or Version used: v3.7 branch

Impact

A rogue thread can corrupt the gp reg and cause the entire system to hard fault at best, at worst, it can potentially trick the system to access another set of random global symbols.

Patches

main: #81155
v3.7: #81370

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2024-11263

Weaknesses

Privilege Context Switching Error

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. Learn more on MITRE.

Credits