we have found a security vulnerability in the Kronos CPU where an instruction sometimes reads from the previous' instruction's input register. For example, a 'jalr' instruction may read from the previous 'add' instruction's input. If that 'add' instruction was operating on attacker-controlled data, an attacker would gain the ability to hijack the control flow.
This bug happens, when an instruction request (instr_req) is not immediately acknowledged by an instr_ack on the instruction bus interface.
As can be seen in the test output, the 'pc_last' signal is set to a value calculated from register x2 instead of x0.
The good case where the 'instr_ack' appears in the next clock cycle after each request:
Hello,
we have found a security vulnerability in the Kronos CPU where an instruction sometimes reads from the previous' instruction's input register. For example, a 'jalr' instruction may read from the previous 'add' instruction's input. If that 'add' instruction was operating on attacker-controlled data, an attacker would gain the ability to hijack the control flow.
This bug happens, when an instruction request (instr_req) is not immediately acknowledged by an instr_ack on the instruction bus interface.
As can be seen in the test output, the 'pc_last' signal is set to a value calculated from register x2 instead of x0.
The good case where the 'instr_ack' appears in the next clock cycle after each request:
An example testbench can be found here: https://github.com/KatCe/kronos/tree/cf_hijack_bug_wrong_rs1/tests/cf_hijack_wrong_rs1
Thank you. Katharina