XiangShan Privileged CSR Operation Vulnerability Causes Unexpected WPRI Field Modification in xstatus

A vulnerability exists in certain XiangShan versions, where local attackers can execute privileged CSR operations that inadvertently modify the WPRI (reserved writes preserve values, reads ignore values) field in the xstatus register. This issue arises when the menvcfg register is accessed in M-mode, leading to an unauthorized change in the WPRI field, which should remain unaltered during such operations. This behavior is not present in other RISC-V simulators like NEMU or SPIKE.

Impact

Exploitation of this vulnerability causes an unintended modification of the WPRI field in the xstatus register, which can disrupt the expected behavior of privilege management and trap handling in the RISC-V execution environment.

Reproduction

The vulnerability can be reproduced by performing crafted reads and writes to the menvcfg register while in M-mode. This can be done using a test case that exploits the interaction between the menvcfg.DTE field and the xstatus.SDT field, which is aliased to the mstatus.SDT field. When menvcfg.DTE is enabled, it allows a write to the SDT field, which then shadows into the mstatus register, contrary to the expected behavior.

Remediation

Users can update to the latest version of XiangShan, where this issue has been addressed.