【CPU】Apple M1 に脆弱性 → 発見者が脆弱性を利用して「Bad Apple!!」動画を権限無視で転送

M1RACLES: Apple M1 Exposed To Covert Channel Vulnerability
Written by Michael Larabel in Linux Security on 26 May 2021 at 05:40 AM EDT. 23 Comments
LINUX SECURITY — Apple’s shiny new in-house M1 Arm chip is the latest processor challenged by a security vulnerability. The “M1RACLES" vulnerability was made public today as a covert channel vulnerability by where a mysterious register could leak EL0 state.

The M1RACLES vulnerability is assigned as CVE-2021-30747. This vulnerability is summed up as, “A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange…The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process."

As with most CPU vulnerabilities these days, there is a demo video and shiny website at m1racles.com outlining this find plus proof-of-concept demo code.

As this deals with a CPU register, the vulnerability is there regardless of using Apple macOS or the new M1 support in the Linux kernel or other operating systems.

For the moment the only workaround/mitigation is running your software within a virtual machine where hypervisors currently disable access by the VM to the s3_5_c15_c10_1 register.

This vulnerability was discovered by the Asahi Linux crew as part of the bring-up of Linux on the Apple Silicon hardware
https://www.phoronix.com/scan.php?page=news_item&px=Apple-M1-M1RACLES

脆弱性(CVE-2021-30747)
M1プロセッサの一部のシステムレジスタがEL0(Intel用語でring3)で読み書き可能で、任意の2プロセスがOSによる制限を無視して情報を交換できる

Fadis@fadis_

Apple SiliconでLinuxを動かす為にCPUを調べていたAsahi Linuxの人達がM1プロセッサの脆弱性(CVE-2021-30747)を見つけてしまった話。M1プロセッサの一部のシステムレジスタがEL0(Inte… https://t.co/KmkcgdonCp

2021/05/27 00:38:07

AppleのCPUの脆弱性を利用してBad Appleの動画をパーミッション無視して転送するの、煽りティが高い

Fadis@fadis_

AppleのCPUの脆弱性を利用してBad Appleの動画をパーミッション無視して転送するの、煽りティが高い

2021/05/27 00:38:56

動画
M1RACLES: Bad Apple!! on a bad Apple (M1 vulnerability)
[youtube https://www.youtube.com/watch?v=hLQKrEh6w7M?feature=oembed&w=560&h=315]
https://i.ytimg.com/vi/hLQKrEh6w7M/hqdefault.jpg
(deleted an unsolicited ad)