Description
Type of issue: bug report
Impact: function to permit Supervisor User Memory access
Affected versions: commit f517ab and before
General Explanation:
During fuzz testing of the processor, the SUM (Supervisor User Memory Access) control bit in the processor's permission management logic and satp.MODE (Address Translation Mode) violate the restrictions defined in the hardware specification (REF1: "The RISC-V Instruction Set Manual Volume II Privileged Architecture Version 20240411, Page 28, 91, 99"), the SUM is set while satp.MODE is reset. Specifically, the SUM bit allows supervisor-mode software to access user-mode memory pages when enabled (U=1), but its validity is affected by the control domain defined by satp.MODE. According to the RISC-V manual, when satp.MODE is set to 0 (bare mode, with address translation disabled), the SUM bit must be read-only 0.
The provided code is extracted from the TLB module of the open-source project rocket-chip [REF2] of RISCV (src/main/scala/rocket/TLB.Scala).
When designing the logic to determine whether the current permissions grant read/write access, Rocket neglected to check the validity of the SUM flag and instead used it directly.
// Original code form TLB.scala
val priv_rw_ok = Mux(!priv_s || sum, entries.map(_.u).asUInt, 0.U) | Mux(priv_s, ~entries.map(_.u).asUInt, 0.U) //Directly using the SUM bit without judging its validity
The above code will extract the user permission bits for each entry as long as the SUM control bit is set, regardless of the current permissions (due to the use of |). However, the SUM bit can be explicitly set to 1 without being subjected to subsequent logical validation. It is necessary to check the validity prior to its usage.
A fix to this issue is to check the validity of the SUM bit before utilizing it:
// Suggested Code:
val sum_masked = Mux(satp.mode === 0.U, 0.U, sum) // Force SUM=0 when translation is off
val priv_rw_ok = Mux(!priv_s || sum_masked, entres.map(_.u).asUInt, 0.U) | Mux(priv_s, ~entries.map(_.u).asUInt, 0.U)
I would be very grateful if this suggestion could catch your attention.