CVE-2022-34635 in CVA6
Summary
by MITRE • 07/19/2022
The mstatus.sd field in CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a does not update when the mstatus.fs field is set to Dirty.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/06/2022
The vulnerability identified as CVE-2022-34635 resides within the CVA6 RISC-V processor implementation, specifically affecting the mstatus register field management during floating-point state transitions. This issue manifests in the mstatus.sd field which serves as the dirty bit indicator for the floating-point state, failing to properly synchronize with changes to the mstatus.fs field that denotes the floating-point status. The mstatus register in RISC-V architectures maintains critical processor state information including floating-point unit status, with fs field indicating whether floating-point operations have been performed and sd field indicating whether the floating-point state has been modified since the last save operation.
The technical flaw stems from an incomplete implementation of the floating-point state management logic within the CVA6 processor core, where the software-defined mstatus.sd bit does not automatically update when the floating-point unit state transitions to the Dirty condition through the mstatus.fs field setting. This creates a state inconsistency where the processor may incorrectly report the floating-point state as clean when it is actually dirty, potentially leading to incorrect floating-point context management and state preservation during privilege level transitions or interrupt handling scenarios.
The operational impact of this vulnerability extends beyond simple state reporting errors and can compromise the integrity of floating-point computations within the processor. When the mstatus.fs field is set to Dirty, indicating that floating-point operations have been performed, the corresponding mstatus.sd field should also be set to indicate that the floating-point state has been modified and requires saving. The failure to maintain this synchronization creates a potential for floating-point context corruption during system calls, task switches, or interrupt handling, where the processor might skip necessary floating-point state preservation operations.
This vulnerability directly relates to CWE-284 Access Control and CWE-682 Incorrect Calculation, as it represents a failure in proper state management and calculation of processor flags. The issue may enable attackers to exploit inconsistencies in floating-point context handling, potentially leading to privilege escalation or information disclosure through controlled manipulation of floating-point state transitions. The problem is particularly concerning in systems where floating-point operations are frequent and where the processor relies on proper state management for security boundaries.
Mitigation strategies for CVE-2022-34635 involve updating to a patched version of the CVA6 processor implementation that properly synchronizes the mstatus.sd field with mstatus.fs field changes. System administrators should ensure that all affected CVA6 implementations are updated to commit versions that address this synchronization issue. Additionally, software developers should verify that their floating-point context management code properly handles potential state inconsistencies and implements additional validation checks when dealing with floating-point state transitions. The vulnerability may also require updates to operating system kernels and hypervisors that rely on proper mstatus register behavior for floating-point context management during privilege transitions, as outlined in the ATT&CK framework's privilege escalation techniques that may leverage such processor state inconsistencies.