Thursday, May 27, 2021

Clickbait security hole?

“Unpatchable” vuln in Apple’s new Mac chip – what you need to know
By Paul Ducklin,

Apple’s brand new Mac has a security hole, right inside the processor itself!

The official name for the bug is CVE-2021-30747, but the developer who discovered it prefers to call it M1RACLES, all in caps.

Like every BWAIN (our own impressive name for bugs with impressive names, short for Bug With An Impressive Name), it has a personalised domain, a logo and a website where you can learn all about it.

The finder of the bug, Hector Martin, writes on the website that:

The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.

... the bug name M1RACLES expands, rather tortuously, as:

M1ssing Register Access Controls Leak EL0 State

It turns out that Apple’s M1 chip includes a CPU system register known, ineffably, as s3_5_c15_c10_1.

According to Hector Martin, this register can be read from by userland programs running at EL0, though he doesn’t know what the register is actually used for, if anything.

However, userland programs aren’t supposed to be able to write into it, given that it’s a system register and supposedly off-limits to EL0 programs.

But Martin discovered that userland code can write to just two individual bits inside this register – bits that are apparently otherwise unused and therefore might be considered unimportant or even irrelevant...

... and those bits can then be read out from any other userland program.

And that’s it!

That, in a nutshell, is the entirety of the “baked-in” security vulnerability CVE-2021-30747, also known as M1RACLES.
...
There’s nothing that you can do, but fortunately there’s nothing you need to do, so you can relax.

Clearly, if it is possible to access a register you're not supposed to have access to, it's a bug that must be fixed and I suppose it technically counts as a security vulnerability but does this really require creating an entire Internet domain and web site to advertise it?

Sounds like click-bait to me.

No comments: