Executive Summary

In OpenXiangShan NEMU, when the Smstateen feature is enabled, clearing the mstateen0.ENVCFG register does not properly restrict access to the henvcfg and senvcfg control and status registers (CSRs).

This flaw allows less-privileged code to read or write these CSRs without triggering the required exceptions, which means that the intended isolation controls based on state-enable settings can be bypassed in virtualized or multi-privilege environments.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow less-privileged code to access or modify critical control registers that should be protected.

As a result, it may lead to bypassing isolation mechanisms designed to separate different privilege levels or virtualized environments, potentially enabling unauthorized access or control over system resources.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows less-privileged code to read or write certain Control and Status Registers (CSRs) without the required exception, potentially bypassing intended isolation controls in virtualized or multi-privilege environments.

This unauthorized access could undermine security controls that are critical for protecting sensitive data and maintaining system integrity, which are essential aspects of compliance with standards such as GDPR and HIPAA.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying whether access to the henvcfg and senvcfg CSRs is improperly allowed when the ENVCFG bit in the mstateen0 register is cleared and the system is in mode=1.

A practical detection method involves clearing the ENVCFG bit in mstateen0, setting mode=1, and then attempting to access the xenvcfg registers. According to the RISC-V specification, such access should trigger an illegal instruction exception if the vulnerability is not present.

• Clear the ENVCFG bit in mstateen0.
• Set the system mode to 1.
• Attempt to read or write to henvcfg, henvcfgh, or senvcfg CSRs.
• Check if the access triggers an illegal instruction exception as expected.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the fixes that correct the access control issues related to the Smstateen extension in OpenXiangShan and NEMU.

Specifically, update your system to include the patches that:

• Correct the access checks for custom CSRs when Smstateen is enabled.
• Ensure that clearing the ENVCFG bit in mstateen0 properly restricts access to henvcfg and senvcfg CSRs.
• Remove incorrect illegal instruction checks that interfere with proper privilege-level access enforcement.
• Add missing access checks for related CSRs such as stopi in the AIA module.

These fixes have been implemented in recent commits in the OpenXiangShan and NEMU repositories and verified by continuous integration tests.

Until patches are applied, restrict access to affected systems and avoid enabling Smstateen with ENVCFG cleared in production environments.

Useful 0 Not Useful 0