OpenXiangShan NEMU Smstateen Extension Access Control Vulnerability

A vulnerability exists in OpenXiangShan NEMU related to the Smstateen extension. When Smstateen is enabled, the 'ENVCFG' bit in the 'mstateen0' register does not properly control access to the 'henvcfg' and 'senvcfg' control and status registers (CSRs). This oversight allows less-privileged code to read from or write to these CSRs without the necessary exceptions, potentially circumventing state-enable isolation controls in virtualized or multi-privilege environments.

Impact

Exploitation of this vulnerability could lead to unauthorized access to certain CSRs, allowing less-privileged code to bypass intended isolation controls in virtualized or multi-privilege environments.

Reproduction

To reproduce this vulnerability, first ensure that the Smstateen extension is enabled. Then, clear the 'ENVCFG' bit in the 'mstateen0' register and set the environment to mode=1. After this, attempt to access the 'senvcfg' or 'henvcfg' registers. The access should trigger an illegal instruction exception, but due to the vulnerability, it will not.

Remediation

The issue has been fixed in the OpenXiangShan repository. Users should update to the latest version.