Rocket-Chip CSR Logic Vulnerability: MRET-Triggered Exception Causes Faulty Privilege State Handling

Critical Vulnerability Information Vulnerability Name Rocket-Chip CSR Logic Vulnerability: Flawed Interaction Between Exception Handling and Return Mechanisms Causes Faulty Trap Behavior on mret-Triggered Exceptions. Discoverers Fanyun Shu, Yang Zhang, Zheng Fu, Zhiheng Zhang, Jian Wang, School of Information and Communication Engineering, University of Electronic Science and Technology of China (UESTC) Brief Introduction The control and status registers (CSRs) in Rocket-Chip exhibit a conflict between its exception handling mechanism and return mechanism (MRET). When executing MRET in machine mode without having entered an exception, an instruction access fault may be triggered. This causes both the exception handling logic and return logic to activate simultaneously, leading to errors in the exception handling process—such as MPIE failing to save the MIE value as required. General Explanation of the Weakness In processor architecture, the exception handling mechanism is designed to respond to illegal events during instruction execution, such as illegal instructions or out-of-bounds memory accesses. When an exception occurs, the processor must immediately interrupt the current execution flow, save critical state information, and jump to a predefined exception handler. At the exception entry point, the processor typically saves the current interrupt enable status (e.g., MIE) into its backup bit (MPIE) and disables interrupts to prevent nested exceptions. The MRET instruction is used to return from an exception by restoring the previously saved exception state and privilege level from the mstatus register, resuming normal execution. However, in practice, Rocket Chip overlooks the possibility that the MRET instruction itself may trigger an exception. This can lead to both exception handling and return logic being activated simultaneously, causing conflicts in the control and status registers. Discovery Context During dynamic testing, Rocket Chip executed the MRET instruction in machine mode (not in an exception context), triggering an instruction access fault. At this point, it was observed that the processor erroneously activated both the exception handling logic and return logic simultaneously, disrupting the exception handling process. The key manifestation of this defect is that MPIE fails to correctly restore the MIE value as specified in Section 3.1.6, page 26, of the RISC-V Privileged Architecture Specification. Before execution: MIE=0, MPIE=1, mcause=0; after execution: mcause is updated to 1 (indicating instruction access fault), but MPIE remains unchanged at 1. Detailed runtime logs are available at: https://github.com/heyfenny/Vulnerability_disclosure/blob/main/RISCV/Rocket-chip/25-7-10/Rocket_Runtime_log.log, indicating that the proper privilege state transition was not successfully completed. Ultimately, the processor proceeds into the exception handling flow, but the exception handling fails to execute correctly, resulting in abnormal program termination. This demonstrates that Rocket Chip’s current CSR logic cannot robustly handle exceptions triggered during MRET execution, violating the privileged specification requirements and compromising system reliability. Vulnerability Type CWE-440: Expected Behavior Violation Affected Product Codebase Rocket-Chip: The Berkeley Open-Source RISC-V Processor, commit f517abb and earlier versions Affected Components src/main/scala/rocket/CSR.scala, Control and Status Registers. Example Code The provided code excerpt is from the CSR module of the open-source Rocket-Chip project (src/main/scala/rocket/CSR.scala). The language used is Scala, as the project designs the processor in Scala and then generates Verilog code. Rocket’s exception entry logic: Rocket’s return logic: It can be observed that these two decision logics are overly simplistic and lack a mechanism to check for exception triggers during the return logic decision process. Recommended Fix Code

Goal Reached Thanks to every supporter — we hit 100%!

Rocket-Chip CSR Logic Vulnerability: MRET-Triggered Exception Causes Faulty Privilege State Handling

More from this source