NEMU RISC-V Hypervisor CSR Handling Vulnerability Allows Unauthorized Modification of Virtualization Configuration
Vulnerability
A vulnerability exists in NEMU's RISC-V hypervisor handling of control and status registers (CSRs), specifically in the management of the `henvcfg` and `menvcfg` registers. The issue arises because certain fields in `henvcfg` are incorrectly linked to `menvcfg`, allowing unintended modifications of the hypervisor's environment configuration. This flaw can disrupt the proper enforcement of virtualization settings and may lead to unexpected traps or denial-of-service conditions when executing cache-block management instructions in virtualized environments.
Impact
Exploitation of this vulnerability can cause incorrect handling of virtualization configurations, potentially leading to unexpected traps or denial-of-service conditions during the execution of cache-block management instructions in virtualized contexts.
Reproduction
The vulnerability can be reproduced by modifying the `menvcfg` register, which should update the `henvcfg` register in NEMU. However, in XiangShan, `henvcfg` does not reflect the change in `menvcfg`, indicating a mismatch in how the two environments handle this aspect of the hypervisor configuration.
Remediation
Users can update to NEMU version v2025.12.r1, which includes a fix for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.