Headline
CVE-2022-34642: [Bug Report] Incorret mask for mcontrol.action · Issue #1032 · riscv-software-src/riscv-isa-sim
The component mcontrol.action in RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 contains the incorrect mask which can cause a Denial of Service (DoS).
Following is the test case we use, in this program we add a breakpoint to the 0x80000178 and specify the size field is 3.
This is possible because the manual specifies that the fields in mcontrol are WARL, so users may try to write the value they expected(0x200000000003005c), then we try to access 0x80000178, and the log shows that the emulation suddenly stops at 0x80000174.
core 0: 0x0000000080000140 (0x00000593) li a1, 0
core 0: 0x0000000080000144 (0x7a059073) csrw tselect, a1
core 0: 0x0000000080000148 (0x00000597) auipc a1, 0x0
core 0: 0x000000008000014c (0x03058593) addi a1, a1, 48
core 0: 0x0000000080000150 (0x7a259073) csrw tdata2, a1
core 0: 0x0000000080000154 (0x7a2025f3) csrr a1, tdata2
: reg 0 a1 -> 0x0000000080000178
core 0: 0x0000000080000158 (0x0010059b) addiw a1, zero, 1
core 0: 0x000000008000015c (0x02d59593) slli a1, a1, 45
core 0: 0x0000000080000160 (0x00358593) addi a1, a1, 3
core 0: 0x0000000080000164 (0x01059593) slli a1, a1, 16
core 0: 0x0000000080000168 (0x05c58593) addi a1, a1, 92
core 0: 0x000000008000016c (0x7a159073) csrw tdata1, a1
: reg 0 a1 -> 0x200000000003005c (action was set to 48 here)
core 0: 0x0000000080000170 (0x7a1025f3) csrr a1, tdata1
core 0: 0x0000000080000174 (0x00100193) li gp, 1
[exit simulation]
spike-1.zip