On 5/11/2026 1:05 AM, Zishun Yi wrote:
Currently, the MENVCFG_CDE (Counter Delegation Enable) bit is
unconditionally included in the base write mask for CSR_MENVCFG.
This make the subsequent conditional check
`(cfg->ext_smcdeleg ? MENVCFG_CDE : 0)` completely ineffective,
as a bitwise OR cannot clear a bit that is already set.
Fix this by removing MENVCFG_CDE from the initial base mask. The bit
will now only be writable when explicitly granted by the `ext_smcdeleg`
configuration.
This issue was discovered and reported by SpecHunter, an AI-driven
architecture specification analysis tool.
Link:
https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2601/qemu.txt
Signed-off-by: Zishun Yi <[email protected]>
---
Reviewed-by: Daniel Henrique Barboza <[email protected]>
target/riscv/csr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da366cf56271..f6bcf128a147 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3175,7 +3175,7 @@ static RISCVException write_menvcfg(CPURISCVState *env,
int csrno,
{
const RISCVCPUConfig *cfg = riscv_cpu_cfg(env);
uint64_t mask = MENVCFG_FIOM | MENVCFG_CBIE | MENVCFG_CBCFE |
- MENVCFG_CBZE | MENVCFG_CDE;
+ MENVCFG_CBZE;
bool stce_changed = false;
if (riscv_cpu_mxl(env) == MXL_RV64) {
