← Back to context

Comment by rybosworld

2 days ago

I'm no expert on TLB invalidation bugs but generally they allow for an attacker to read/write arbitrary memory.

https://googleprojectzero.blogspot.com/2019/01/taking-page-f...

6 comments

rybosworld

Reply
caspper69  2 days ago

I don't mean to be a pedant, so someone please correct me if I'm wrong, but I don't think TLB mishandling would result in arbitrary memory access (I suppose in the strictest sense arbitrary can just mean random, but generally I have understood it to imply that the address can be attacker controlled, which a stale TLB wouldn't allow).

Unless you're like Microsoft (from your link) and accidentally leave the page tables writable from userspace for 2 months. But that's not really a TLB error, that's just L-O-L, wow!

  • jcalvinowens  1 day ago

    Random access is arbitrary access, given enough time. You can try over and over again until you get lucky.

    Imagine I'm a user with local shell access trying to read a secret owned by root. Maybe I can't read the secret, but I can do something which makes another program read the secret. If I can make that program swap (perhaps by wasting a bunch of RAM to create memory pressure), and swapping has some probability of triggering a TLB invalidation bug that lets me see the old page, I win, although it might take awhile.

egberts1  2 days ago

Read-Write-eXecute TLB memory region can be found in JavaScript, Java, Dalvik (Android), and Python.

  • Retr0id  2 days ago

    Modern javascript engines (namely V8) avoid RWX, although last time I checked there's been a backslide as part of WASM implementation.

    CPython also no longer appears to create RWX mappings even for ctypes, although you can of course still mmap them manually.