1. Patchew
  2. QEMU
  3. View series

[PATCH v2] target/riscv: Fix missing CDE check for scountinhibit

Zishun Yi posted 1 patch 2 weeks, 3 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260508174917.371667-1-vulab@iscas.ac.cn
Maintainers: Palmer Dabbelt <palmer@dabbelt.com>, Alistair Francis <alistair.francis@wdc.com>, Weiwei Li <liwei1518@gmail.com>, Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>, Liu Zhiwei <zhiwei_liu@linux.alibaba.com>, Chao Liu <chao.liu.zevorn@gmail.com>
target/riscv/csr.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH v2] target/riscv: Fix missing CDE check for scountinhibit
Posted by Zishun Yi 2 weeks, 3 days ago 
According to the RISC-V smcdeleg specification: "When menvcfg.CDE=0,
attempts to access scountinhibit raise an illegal-instruction
exception."

The current implementation of scountinhibit_pred() only checks the
hardware extensions (ext_ssccfg, ext_smcdeleg) and virtualization
status, but completely misses the runtime environment configuration
check (menvcfg.CDE).  This allows S-mode to access scountinhibit even
when the M-mode has explicitly disabled counter delegation.

This issue was discovered by the SpecHunter tool
(https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2571/qemu.txt).

Fixes: 6247dc2ef70b ("target/riscv: Add counter delegation/configuration support")
Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
---
v2: Removed mistakenly added #include "cpu_bits.h".

 target/riscv/csr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da366cf56271..9ae8d553dcf1 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -398,6 +398,10 @@ static RISCVException scountinhibit_pred(CPURISCVState *env, int csrno)
         return RISCV_EXCP_ILLEGAL_INST;
     }
 
+    if (!get_field(env->menvcfg, MENVCFG_CDE)) {
+        return RISCV_EXCP_ILLEGAL_INST;
+    }
+
     if (env->virt_enabled) {
         return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
     }
-- 
2.51.2
Re: [PATCH v2] target/riscv: Fix missing CDE check for scountinhibit
Posted by Alistair Francis 1 week ago 
On Sat, May 9, 2026 at 3:51 AM Zishun Yi <vulab@iscas.ac.cn> wrote:
>
> According to the RISC-V smcdeleg specification: "When menvcfg.CDE=0,
> attempts to access scountinhibit raise an illegal-instruction
> exception."
>
> The current implementation of scountinhibit_pred() only checks the
> hardware extensions (ext_ssccfg, ext_smcdeleg) and virtualization
> status, but completely misses the runtime environment configuration
> check (menvcfg.CDE).  This allows S-mode to access scountinhibit even
> when the M-mode has explicitly disabled counter delegation.
>
> This issue was discovered by the SpecHunter tool
> (https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2571/qemu.txt).
>
> Fixes: 6247dc2ef70b ("target/riscv: Add counter delegation/configuration support")
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>

Thanks!

Applied to riscv-to-apply.next

Alistair

> ---
> v2: Removed mistakenly added #include "cpu_bits.h".
>
>  target/riscv/csr.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index da366cf56271..9ae8d553dcf1 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -398,6 +398,10 @@ static RISCVException scountinhibit_pred(CPURISCVState *env, int csrno)
>          return RISCV_EXCP_ILLEGAL_INST;
>      }
>
> +    if (!get_field(env->menvcfg, MENVCFG_CDE)) {
> +        return RISCV_EXCP_ILLEGAL_INST;
> +    }
> +
>      if (env->virt_enabled) {
>          return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
>      }
> --
> 2.51.2
>
>
Re: [PATCH v2] target/riscv: Fix missing CDE check for scountinhibit
Posted by Daniel Henrique Barboza 2 weeks ago 

On 5/8/2026 2:49 PM, Zishun Yi wrote:
> According to the RISC-V smcdeleg specification: "When menvcfg.CDE=0,
> attempts to access scountinhibit raise an illegal-instruction
> exception."
> 
> The current implementation of scountinhibit_pred() only checks the
> hardware extensions (ext_ssccfg, ext_smcdeleg) and virtualization
> status, but completely misses the runtime environment configuration
> check (menvcfg.CDE).  This allows S-mode to access scountinhibit even
> when the M-mode has explicitly disabled counter delegation.
> 
> This issue was discovered by the SpecHunter tool
> (https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2571/qemu.txt).
> 
> Fixes: 6247dc2ef70b ("target/riscv: Add counter delegation/configuration support")
> Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
> ---

Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>

> v2: Removed mistakenly added #include "cpu_bits.h".
> 
>   target/riscv/csr.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index da366cf56271..9ae8d553dcf1 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -398,6 +398,10 @@ static RISCVException scountinhibit_pred(CPURISCVState *env, int csrno)
>           return RISCV_EXCP_ILLEGAL_INST;
>       }
>   
> +    if (!get_field(env->menvcfg, MENVCFG_CDE)) {
> +        return RISCV_EXCP_ILLEGAL_INST;
> +    }
> +
>       if (env->virt_enabled) {
>           return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
>       }

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.