Chipsalliance Rocket-Chip Exception Handling Vulnerability in CSR Logic

A vulnerability exists in Chipsalliance Rocket-Chip in the Control and Status Register (CSR) logic, specifically in commit f517abb. This vulnerability allows for the corruption of exception handling and privilege state transitions. The issue arises from a flawed interaction between the exception handling mechanism and the MRET return process. When MRET is executed in machine mode without an active exception, it can trigger an Instruction Access Fault. This fault causes both the exception handling and return logic to activate simultaneously, leading to conflicting updates in the control and status registers. As a result, the exception handling flow is disrupted, causing improper execution of exception-related tasks, such as saving interrupt states.

Impact

The vulnerability causes faulty trap behavior by disrupting the exception handling flow, particularly in how the MPIE register captures the MIE state, leading to violations of the RISC-V Privileged Architecture Specification.

Reproduction

The vulnerability can be reproduced by executing the MRET instruction in machine mode while not in an exception state. This sequence triggers an Instruction Access Fault, which activates both the exception handling and return logic at the same time, causing a conflict in the control and status registers.

Remediation

To address this vulnerability, exception-triggering checks should be added to the MRET return logic to ensure that the return process only occurs when no exceptions are active.