| Paul Beesley | 1ed4cf2 | 2019-03-07 16:22:44 +0000 | [diff] [blame] | 1 | Advisory TFV-3 (CVE-2017-7563) |
| 2 | ============================== |
| 3 | |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 4 | +----------------+-------------------------------------------------------------+ |
| 5 | | Title | RO memory is always executable at AArch64 Secure EL1 | |
| 6 | +================+=============================================================+ |
| Paul Beesley | 75017f2 | 2019-03-05 17:10:07 +0000 | [diff] [blame] | 7 | | CVE ID | `CVE-2017-7563`_ | |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 8 | +----------------+-------------------------------------------------------------+ |
| 9 | | Date | 06 Apr 2017 | |
| 10 | +----------------+-------------------------------------------------------------+ |
| 11 | | Versions | v1.3 (since `Pull Request #662`_) | |
| 12 | | Affected | | |
| 13 | +----------------+-------------------------------------------------------------+ |
| 14 | | Configurations | AArch64 BL2, TSP or other users of xlat_tables library | |
| 15 | | Affected | executing at AArch64 Secure EL1 | |
| 16 | +----------------+-------------------------------------------------------------+ |
| 17 | | Impact | Unexpected Privilege Escalation | |
| 18 | +----------------+-------------------------------------------------------------+ |
| 19 | | Fix Version | `Pull Request #924`_ | |
| 20 | +----------------+-------------------------------------------------------------+ |
| 21 | | Credit | ARM | |
| 22 | +----------------+-------------------------------------------------------------+ |
| 23 | |
| 24 | The translation table library in ARM Trusted Firmware (TF) (under |
| 25 | ``lib/xlat_tables`` and ``lib/xlat_tables_v2``) provides APIs to help program |
| 26 | translation tables in the MMU. The xlat\_tables client specifies its required |
| 27 | memory mappings in the form of ``mmap_region`` structures. Each ``mmap_region`` |
| 28 | has memory attributes represented by the ``mmap_attr_t`` enumeration type. This |
| 29 | contains flags to control data access permissions (``MT_RO``/``MT_RW``) and |
| 30 | instruction execution permissions (``MT_EXECUTE``/``MT_EXECUTE_NEVER``). Thus a |
| 31 | mapping specifying both ``MT_RO`` and ``MT_EXECUTE_NEVER`` should result in a |
| 32 | Read-Only (RO), non-executable memory region. |
| 33 | |
| 34 | This feature does not work correctly for AArch64 images executing at Secure EL1. |
| 35 | Any memory region mapped as RO will always be executable, regardless of whether |
| 36 | the client specified ``MT_EXECUTE`` or ``MT_EXECUTE_NEVER``. |
| 37 | |
| 38 | The vulnerability is known to affect the BL2 and Test Secure Payload (TSP) |
| 39 | images on platforms that enable the ``SEPARATE_CODE_AND_RODATA`` build option, |
| 40 | which includes all ARM standard platforms, and the upstream Xilinx and NVidia |
| 41 | platforms. The RO data section for these images on these platforms is |
| 42 | unexpectedly executable instead of non-executable. Other platforms or |
| 43 | ``xlat_tables`` clients may also be affected. |
| 44 | |
| 45 | The vulnerability primarily manifests itself after `Pull Request #662`_. Before |
| 46 | that, ``xlat_tables`` clients could not specify instruction execution |
| 47 | permissions separately to data access permissions. All RO normal memory regions |
| 48 | were implicitly executable. Before `Pull Request #662`_. the vulnerability |
| 49 | would only manifest itself for device memory mapped as RO; use of this mapping |
| 50 | is considered rare, although the upstream QEMU platform uses this mapping when |
| 51 | the ``DEVICE2_BASE`` build option is used. |
| 52 | |
| 53 | Note that one or more separate vulnerabilities are also required to exploit this |
| 54 | vulnerability. |
| 55 | |
| 56 | The vulnerability is due to incorrect handling of the execute-never bits in the |
| 57 | translation tables. The EL3 translation regime uses a single ``XN`` bit to |
| 58 | determine whether a region is executable. The Secure EL1&0 translation regime |
| 59 | handles 2 Virtual Address (VA) ranges and so uses 2 bits, ``UXN`` and ``PXN``. |
| 60 | The ``xlat_tables`` library only handles the ``XN`` bit, which maps to ``UXN`` |
| 61 | in the Secure EL1&0 regime. As a result, this programs the Secure EL0 execution |
| 62 | permissions but always leaves the memory as executable at Secure EL1. |
| 63 | |
| 64 | The vulnerability is mitigated by the following factors: |
| 65 | |
| 66 | - The xlat\_tables library ensures that all Read-Write (RW) memory regions are |
| 67 | non-executable by setting the ``SCTLR_ELx.WXN`` bit. This overrides any value |
| 68 | of the ``XN``, ``UXN`` or ``PXN`` bits in the translation tables. See the |
| 69 | ``enable_mmu()`` function: |
| 70 | |
| Paul Beesley | 493e349 | 2019-03-13 15:11:04 +0000 | [diff] [blame] | 71 | :: |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 72 | |
| 73 | sctlr = read_sctlr_el##_el(); \ |
| 74 | sctlr |= SCTLR_WXN_BIT | SCTLR_M_BIT; \ |
| 75 | |
| 76 | - AArch32 configurations are unaffected. Here the ``XN`` bit controls execution |
| 77 | privileges of the currently executing translation regime, which is the desired |
| 78 | behaviour. |
| 79 | |
| 80 | - ARM TF EL3 code (for example BL1 and BL31) ensures that all non-secure memory |
| 81 | mapped into the secure world is non-executable by setting the ``SCR_EL3.SIF`` |
| 82 | bit. See the ``el3_arch_init_common`` macro in ``el3_common_macros.S``. |
| 83 | |
| Paul Beesley | 75017f2 | 2019-03-05 17:10:07 +0000 | [diff] [blame] | 84 | .. _CVE-2017-7563: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7563 |
| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 85 | .. _Pull Request #662: https://github.com/ARM-software/arm-trusted-firmware/pull/662 |
| 86 | .. _Pull Request #924: https://github.com/ARM-software/arm-trusted-firmware/pull/924 |