{"@ID": "1260", "@Name": "Improper Handling of Overlap Between Protected Memory Ranges", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Stable", "Description": "The product allows address regions to overlap, which can result in the bypassing of intended memory protection.", "Extended_Description": {"xhtml:p": ["Isolated memory regions and access control (read/write) policies are used by hardware to protect privileged software. Software components are often allowed to change or remap memory region definitions in order to enable flexible and dynamically changeable memory management by system software.", "If a software component running at lower privilege can program a memory address region to overlap with other memory regions used by software running at higher privilege, privilege escalation may be available to attackers. The memory protection unit (MPU) logic can incorrectly handle such an address overlap and allow the lower-privilege software to read or write into the protected memory region, resulting in privilege escalation attack. An address overlap weakness can also be used to launch a denial of service attack on the higher-privilege software memory regions."]}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "119", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Name": "Memory Hardware", "@Prevalence": "Undetermined"}, {"@Name": "Processor Hardware", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "Such issues could be introduced during hardware architecture and design or implementation and identified later during the Testing phase."}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity", "Availability"], "Impact": ["Modify Memory", "Read Memory", "DoS: Instability"], "Likelihood": "High"}}, "Detection_Methods": {"Detection_Method": {"Method": "Manual Analysis", "Description": "Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": "Ensure that memory regions are isolated as intended and that access control (read/write) policies are used by hardware to protect privileged software."}}, {"Phase": "Implementation", "Description": {"xhtml:p": ["For all of the programmable memory protection regions, the memory protection unit (MPU) design can define a priority scheme.", "For example: if three memory regions can be programmed (Region_0, Region_1, and Region_2), the design can enforce a priority scheme, such that, if a system address is within multiple regions, then the region with the lowest ID takes priority and the access-control policy of that region will be applied.  In some MPU designs, the priority scheme can also be programmed by trusted software.", "Hardware logic or trusted firmware can also check for region definitions and block programming of memory regions with overlapping addresses.", "The memory-access-control-check filter can also be designed to apply a policy filter to all of the overlapping ranges, i.e., if an address is within Region_0 and Region_1, then access to this address is only granted if both Region_0 and Region_1 policies allow the access."]}, "Effectiveness": "High"}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": {"xhtml:p": ["For example, consider a design with a 16-bit address that has two software privilege levels: Privileged_SW and Non_privileged_SW. To isolate the system memory regions accessible by these two privilege levels, the design supports three memory regions: Region_0, Region_1, and Region_2.", "Each region is defined by two 32 bit registers: its range and its access policy.", "Certain bits of the access policy are defined symbolically as follows:", "For any requests from software, an address-protection filter checks the address range and access policies for each of the three regions, and only allows software access if all three filters allow access.", "Consider the following goals for access control as intended by the designer:", "The intention is that Non_privileged_SW cannot modify memory region and policies defined by Privileged_SW in Region_0 and Region_1. Thus, it cannot read or write the memory regions that Privileged_SW is using."], "xhtml:ul": [{"xhtml:li": ["Address_range[15:0]: specifies the Base address of the region", "Address_range[31:16]: specifies the size of the region", "Access_policy[31:0]: specifies what types of software can access a region and which actions are allowed"]}, {"xhtml:li": ["Access_policy.read_np: if set to one, allows reads from Non_privileged_SW", "Access_policy.write_np: if set to one, allows writes from Non_privileged_SW", "Access_policy.execute_np: if set to one, allows code execution by Non_privileged_SW", "Access_policy.read_p: if set to one, allows reads from Privileged_SW", "Access_policy.write_p: if set to one, allows writes from Privileged_SW", "Access_policy.execute_p: if set to one, allows code execution by Privileged_SW"]}, {"xhtml:li": ["Region_0 & Region_1: registers are programmable by Privileged_SW", "Region_2: registers are programmable by Non_privileged_SW"]}]}, "Example_Code": [{"@Nature": "Bad", "xhtml:p": "Non_privileged_SW can program the Address_range register for Region_2 so that its address overlaps with the ranges defined by Region_0 or Region_1. Using this capability, it is possible for Non_privileged_SW to block any memory region from being accessed by Privileged_SW, i.e., Region_0 and Region_1."}, {"@Nature": "Good", "#text": "Ensure that software accesses to memory regions are only permitted if all three filters permit access. Additionally, the scheme could define a memory region priority to ensure that Region_2 (the memory region defined by Non_privileged_SW) cannot overlap Region_0 or Region_1 (which are used by Privileged_SW)."}], "Body_Text": "This design could be improved in several ways."}, {"Intro_Text": "The example code below is taken from the IOMMU controller module of the HACK@DAC'19 buggy CVA6 SoC [REF-1338]. The static memory map is composed of a set of Memory-Mapped Input/Output (MMIO) regions covering different IP agents within the SoC. Each region is defined by two 64-bit variables representing the base address and size of the memory region (XXXBase and XXXLength).", "Body_Text": ["In this example, we have 12 IP agents, and only 4 of them are called out for illustration purposes in the code snippets. Access to the AES IP MMIO region is considered privileged as it provides access to AES secret key, internal states, or decrypted data.", "The vulnerable code allows the overlap between the protected MMIO region of the AES peripheral and the unprotected UART MMIO region. As a result, unprivileged users can access the protected region of the AES IP. In the given vulnerable example UART MMIO region starts at address 64'h1000_0000 and ends at address 64'h1011_1000 (UARTBase is 64'h1000_0000, and the size of the region is provided by the UARTLength of 64'h0011_1000).", "On the other hand, the AES MMIO region starts at address 64'h1010_0000 and ends at address 64'h1010_1000, which implies an overlap between the two peripherals' memory regions. Thus, any user with access to the UART can read or write the AES MMIO region, e.g., the AES secret key.", "To mitigate this issue, remove the overlapping address regions by decreasing the size of the UART memory region or adjusting memory bases for all the remaining peripherals. [REF-1339]"], "Example_Code": [{"@Nature": "Bad", "@Language": "Verilog", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:b": ["localparam logic[63:0] UARTLength = 64'h0011_1000;", "localparam logic[63:0] AESLength = 64'h0000_1000;"], "#text": "localparam logic[63:0] PLICLength = 64'h03FF_FFFF;\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tlocalparam logic[63:0] SPILength = 64'h0080_0000;"}, {"xhtml:br": null, "#text": "..."}, {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null], "xhtml:b": ["UARTBase = 64'h1000_0000,", "AESBase = 64'h1010_0000,"], "#text": "...\n\t\t\t\t\t\t\t\tPLICBase = 64'h0C00_0000,\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tSPIBase = 64'h2000_0000,\n\t\t\t\t\t\t\t\t..."}, "#text": "typedef enum logic [63:0] {"}], "#text": "..."}}, {"@Nature": "Good", "@Language": "Verilog", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null], "xhtml:b": "localparam logic[63:0] UARTLength = 64'h0000_1000;", "#text": "localparam logic[63:0] PLICLength = 64'h03FF_FFFF;\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\tlocalparam logic[63:0] AESLength = 64'h0000_1000;\n\t\t\t\t\t\t\tlocalparam logic[63:0] SPILength = 64'h0080_0000;"}, {"xhtml:br": null, "#text": "..."}, {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null], "#text": "...\n\t\t\t\t\t\t\t\tPLICBase = 64'h0C00_0000,\n\t\t\t\t\t\t\t\tUARTBase = 64'h1000_0000,\n\t\t\t\t\t\t\t\tAESBase = 64'h1010_0000,\n\t\t\t\t\t\t\t\tSPIBase = 64'h2000_0000,\n\t\t\t\t\t\t\t\t..."}, "#text": "typedef enum logic [63:0] {"}], "#text": "..."}}]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2008-7096", "Description": "virtualization product allows compromise of hardware product by accessing certain remapping registers.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-7096"}, {"Reference": "[REF-1100]", "Description": "processor design flaw allows ring 0 code to access more privileged rings by causing a register window to overlap a range of protected system RAM [REF-1100]", "Link": "https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "456"}, {"@CAPEC_ID": "679"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1100"}, {"@External_Reference_ID": "REF-1338"}, {"@External_Reference_ID": "REF-1339"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted."}}, "Content_History": {"Submission": {"Submission_Name": "Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi", "Submission_Organization": "Intel Corporation", "Submission_Date": "2020-02-10", "Submission_Version": "4.1", "Submission_ReleaseDate": "2020-02-24"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Demonstrative_Examples, Description, Modes_of_Introduction, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Maintenance_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Observed_Examples, Relationships, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Applicable_Platforms, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Demonstrative_Examples, Mapping_Notes, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Relationships"}], "Contribution": [{"@Type": "Feedback", "Contribution_Name": "Narasimha Kumar V Mangipudi", "Contribution_Organization": "Lattice Semiconductor", "Contribution_Date": "2021-10-20", "Contribution_Comment": "suggested content improvements"}, {"@Type": "Content", "Contribution_Name": "Hareesh Khattri", "Contribution_Organization": "Intel Corporation", "Contribution_Date": "2021-10-22", "Contribution_Comment": "suggested observed examples"}, {"@Type": "Content", "Contribution_Name": "Shaza Zeitouni, Mohamadreza Rostami, Pouya Mahmoody, Ahmad-Reza Sadeghi", "Contribution_Organization": "Technical University of Darmstadt", "Contribution_Date": "2023-06-21", "Contribution_Comment": "suggested demonstrative example"}, {"@Type": "Content", "Contribution_Name": "Rahul Kande, Chen Chen, Jeyavijayan Rajendran", "Contribution_Organization": "Texas A&M University", "Contribution_Date": "2023-06-21", "Contribution_Comment": "suggested demonstrative example"}]}}
