Executive Summary

This vulnerability exists in NEMU's implementation of the RISC-V Hypervisor Control and Status Registers (CSRs). Specifically, bits 4 to 7 of the hypervisor environment configuration register (henvcfg) are incorrectly masked or updated based on the machine environment configuration register (menvcfg). This means that when machine-mode code writes to menvcfg, it can unintentionally modify the hypervisor's environment configuration (henvcfg).

Because of this incorrect linkage, the enforcement of virtualization configuration can be incorrect, potentially causing unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to incorrect enforcement of virtualization settings in a RISC-V hypervisor environment. This may cause unexpected traps or denial of service conditions when cache-block management instructions are executed in virtualized contexts.

In practical terms, this could disrupt the normal operation of virtual machines running on affected systems, potentially causing instability or service interruptions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves incorrect masking and updating of the henvcfg CSR fields based on menvcfg in the NEMU RISC-V hypervisor implementation. Detection would require inspecting the values of the henvcfg and menvcfg CSRs to identify if changes to menvcfg implicitly modify henvcfg fields incorrectly.

Since this is a low-level hardware/firmware issue related to Control and Status Registers (CSRs) in machine mode, detection commands would involve reading these CSRs on the affected system.

• Use RISC-V privileged instructions or a debugger to read the menvcfg and henvcfg CSRs and compare bits 4 to 7.
• For example, in a RISC-V environment with access to machine mode CSRs, use assembly instructions like `csrr` to read the registers: `csrr t0, menvcfg` and `csrr t1, henvcfg`.
• Check if writing to menvcfg changes bits 4 to 7 of henvcfg unexpectedly, which indicates the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying patches or updates that decouple the henvcfg CSR fields from menvcfg, preventing implicit modification.

Specifically, the fix merged in the OpenXiangShan/NEMU repository (pull request #689) corrects the dependency between henvcfg and menvcfg, ensuring that CBIE, CBCFE, and CBZE fields in henvcfg are independent.

Therefore, updating your NEMU hypervisor to include this fix (merged on November 27, 2024) is the recommended immediate step.

Additionally, avoid running untrusted code in virtualized contexts until the fix is applied, as the vulnerability can cause unexpected traps or denial of service.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0