XiangShan RISC-V Processor Improper CSR Write-Enable Gating Allows Memory Attribute Tampering

A vulnerability in the XiangShan open-source RISC-V processor has been identified, specifically in the distributed Control and Status Register (CSR) write-enable path. The issue arises from improper gating, which allows illegal CSR write attempts to modify the state of custom Physical Memory Attribute (PMA) CSRs. According to the RISC-V privileged specification, such illegal accesses should trigger an exception. However, in the affected XiangShan versions, these illegal writes can propagate to the replicated PMA configuration state. This vulnerability can be exploited by local attackers with code execution capabilities on the core, potentially leading to unauthorized changes in memory attribute enforcement. The impact could include privilege escalation, information disclosure, or denial-of-service, depending on how PMA manages platform security and isolation.

Impact

Exploitation of this vulnerability can disrupt the expected handling of illegal instruction exceptions, particularly those involving custom register accesses. This disruption can lead to unhandled exceptions and execution interruptions, creating a mismatch between the processor's behavior and the RISC-V specification, which mandates that such illegal accesses should be properly managed.

Reproduction

The vulnerability can be reproduced by executing a sequence of instructions that includes illegal accesses to custom CSRs not properly defined in the XiangShan processor's CSR map. This sequence should trigger an illegal instruction exception, which XiangShan fails to handle correctly, allowing the illegal write to a custom PMA CSR to disrupt normal execution by causing an unhandled exception.

Remediation

The vulnerability has been addressed in a recent commit, which corrects the CSR write-enable gating issue. Users should update to the latest version of XiangShan to apply this fix.