[BUG] Writing to the cache line of current executing instructions will crash the processor

[riscv914]

Is there an existing CVA6 bug for this?

• I have searched the existing bug issues

Bug Description

Summary

A vulnerability in the CVA6 processor causes a crash if a cache line holding the currently executing instruction is modified. Specifically, if an adversary executes a store instruction targeting memory that shares a cache line with the executing instruction, the processor will fail.

Details

The issue arises due to a write-back operation during cache coherency, where writing back a dirty cache line puts the processor into a state that leads to a crash.

PoC

If the asm volatile("sw t0, 0(%0)") store instruction modifies a memory address within the same cache line (e.g., between 0x80001000 and 0x800011FF) as the executing instruction, the processor will crash. However, if the store instruction is directed to the next cache line (e.g., 0x80001200), the code executes normally.

volatile unsigned int *code_mem = (unsigned int *)0x800011FF;
asm volatile("li t0, 0x000000013");
asm volatile("sw t0, 0(%0)" : : "r"(code_mem));

Impact

This vulnerability causes undefined behavior in the processor, potentially leading to a denial of service (DoS).