RISC-V Rocket-Chip Privilege Retention Vulnerability in SRET Instruction

A vulnerability exists in RISC-V Rocket-Chip versions through 1.6, where the SRET (Supervisor-mode Exception Return) instruction improperly manages the processor's privilege level. Instead of transitioning from Machine-mode (M-mode) to Supervisor-mode (S-mode) as required, the processor erroneously remains in M-mode. This flaw creates a significant privilege retention vulnerability.

Impact

Exploitation of this vulnerability allows for improper privilege level management, potentially leading to unauthorized access or control at a higher privilege level than intended.

Reproduction

The vulnerability can be reproduced by using the Rocket Chip Verilator simulation environment. After setting up the Rocket Chip repository and its dependencies, the issue can be demonstrated by running a simulation that includes the faulty SRET instruction handling. This can be done by using the provided reproduction tools available in the same GitHub repository where this vulnerability is disclosed.