RISC-V BOOM SonicBOOM Store Access Fault Vulnerability in Virtual Memory Management

A vulnerability in the RISC-V BOOM SonicBOOM 1.2 processor implementation has been identified, where valid virtual-to-physical address translations with write permissions in SV39 mode incorrectly trigger a Store/AMO access fault during store instructions. This issue arises despite proper page table entries and valid memory access modes. The fault occurs when transitioning into virtual memory and attempting store operations in mapped kernel memory, suggesting a flaw in the memory management unit, physical memory protection, or memory access enforcement logic. The vulnerability may lead to unexpected kernel panics or denial-of-service conditions in affected systems.

Impact

Exploitation of this vulnerability causes unexpected Store/AMO access faults during store operations in mapped kernel memory, after transitioning into virtual memory. This behavior disrupts normal processing and can trigger kernel panics, leading to system instability and potential denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by transitioning from machine mode to supervisor mode with paging enabled, while the page table is configured to allow write permissions in kernel memory. This can be done using a test program that performs store operations under these conditions. The execution log will show the fault being triggered, indicating a mismatch between the expected and actual behavior of the processor.