XiangShan RISC-V Processor CSR Subsystem Improper Exception Handling Vulnerability

A vulnerability exists in the XiangShan open-source RISC-V processor, specifically in the CSR subsystem (NewCSR), as of commit edb1dfaf7d290ae99724594507dc46c2c2125384. The issue stems from improper handling of exceptional conditions, where certain sequences of CSR operations targeting non-existent or custom CSR addresses can trigger an illegal-instruction exception. However, the processor fails to consistently transfer control to the designated trap handler, disrupting the control flow and potentially leaving the core in a hung or unrecoverable state. This vulnerability can be exploited by a local attacker with the ability to execute code on the processor, leading to a denial-of-service condition and possibly an inconsistent architectural state.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, with the processor hanging and failing to recover, potentially leaving the architectural state inconsistent.

Reproduction

The vulnerability can be reproduced by executing a sequence of CSR operations that target non-existent or custom CSR addresses. This sequence should trigger an illegal-instruction exception, which will not be properly handled, causing the processor to hang. The issue can be tested using the 'ill-test.zip' testcase, which is available in the 'XiangShan' repository.

Remediation

The vulnerability has been fixed in a subsequent commit. Users should update to the latest version of the XiangShan processor.