Please email jv.rajendran@tamu.edu and ahmad.sadeghi@trust.informatik.tu-darmstadt.de if you need HyPFuzz. Our hardware fuzzer HyPFuzz detected three new vulnerabilities that our first hardware fuzzer TheHuzz cannot find. Two of them are assigned with CVEs: CVE-2022-33021 and CVE-2022-33023. These bugs are listed in Table 2 on page 13 of the HyPFuzz paper. For your convenience, here is the mapping between the vulnerabilities in the paper and the CVEs assigned to the vulnerabilities:
- CVE-2022-33021 –> V3: Returning X-value when access unallocated CSRs.
- CVE-2022-33023 –> V2: Incorrect decoding logic for multiplication instructions.
Here is a detailed description of these two vulnerabilities:
Fields | V3 (CVE-2022-33021) | V2 (CVE-2022-33023) | |
CNA-covered product? | No | No | |
Is this an existing CVE? | No | No | |
Vulnerability type | CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior | CWE-440: Expected Behavior Violation | |
Vendor of the product | OpenHW Group | OpenHW Group | |
Affected product(s)/ code base | CVA6, Hensoldt Cyber’s MiG-V processor. | CVA6, Hensoldt Cyber’s MiG-V processor. | |
Has vendor confirmed or acknowledged the vulnerability? | Yes | No | |
Attack type | Context-dependent | Context-dependent | |
Impact | Code Execution, Denial of Service, Other (data corruption) | Code Execution | |
Affected component(s) | A set of control state registers that record the privilege states of a processor. | High-performance multiplication units for specific purposes. | |
Attack vector(s) | Any software code containing the instructions to read and change the value of affected control state registers can be used as a source of corruption in execution. | Any software code containing the instructions to do multiplications, such as matrix operations of Machine learning, can be used as a source to generate wrong results. | |
Suggested description of the vulnerability for use in the CVE | An issue was discovered in the control state register unit of the CVA6 processor. The register array does not have indexes to store the value of a set of control state registers, but the unit allows users to read their values. | CVA6 gives incorrect permission to use special multiplication units when the format of instructions is wrong. | |
Github issue | https://github.com/openhwgroup/cva6/issues/884 | https://github.com/openhwgroup/cva6/issues/885 | |
Additional information | Location:cva6/core/csr_regfile.sv (https://github.com/openhwgroup/cva6/blob/master/core/csr_regfile.sv), line 268 to 282 and cva6/core/perf_counters.sv (https://github.com/openhwgroup/cva6/blob/master/core/perf_counters.sv), line 46.
Details: The implementation of csr_regfile.sv allows reading all mhpmevent CSRs through input performance data (line 282: csr_rdata = perf_data_i). However, the implementation of perf_counters.sv only initializes an array (perf_counter_q) for mhpevents from CSR_ML1_ICACHE_MISS to CSR_MIF_EMPTY at line 46. Each index of the array will store the value of one mhpevent. Hence, if instructions reading mhpevents after CSR_MIF_EMPTY will access indexes outside the range of the array, causing the return of unknown values.
Triggering inputs: csrr rd, mhpmcounter30 Expected outputs: rd = any 64-bit real value CVA6 outputs: Rd = unknown value (xxxxxxxxxxxxxxxx) |
Location: cva6/core/decoder.sv (https://github.com/openhwgroup/cva6/blob/master/core/decoder.sv), line 496 to 498.
Details: The RISC-V ISA, Vol.I, version 20190608, at page 43, mentions that “MULH[[S]U] rdh, rs1, rs2; MUL rdl, rs1, rs2 (source register specifiers must be in the same order and rdh cannot be the same as rs1 or rs2)”. However, the cva6 implementation allows rd to be the same register as rs1 or rs2. Hence, spike is throwing an illegal instruction exception, but cva6 is not when executing the MULHU instruction with rd = rs1 or rd = rs2. |