OpenXiangShan NEMU Privilege Boundary Violation Vulnerability in RVH Mode

A vulnerability exists in OpenXiangShan NEMU versions prior to 55295c4, when the RVH (Hypervisor extension) is enabled. In this scenario, a virtual supervisor (VS-mode) guest can incorrectly write to the supervisor interrupt-enable CSR (sie), which may unintentionally affect the machine-level interrupt enable state (mie). This mismanagement disrupts proper privilege and virtualization isolation, potentially leading to a denial-of-service condition or a violation of privilege boundaries in environments that depend on NEMU for accurate interrupt virtualization.

Impact

Exploiting this vulnerability can cause a privilege-boundary violation, allowing a VS-mode guest to improperly influence machine-level interrupt settings, which can disrupt normal operation and cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, first ensure that NEMU is running with the RVH hypervisor extension enabled. Then, execute a command to write to the 'sie' CSR from a VS-mode guest. After this, check the 'mie' CSR value. The 'mie' register should remain unchanged, but it will reflect the modification made to 'sie', indicating a mismatch in the expected behavior.

Remediation

Users can update to the latest version of OpenXiangShan NEMU, where this issue has been fixed.