Vulnerability in XNU | |
---|---|
Software | iOS |
Vulnerable in | ? - 15.4.1 |
Fixed in | 15.5 |
Disclosed | 16 May 2022 |
Discovered by | Linus Henze |
CVE | CVE-2022-26764 |
Apple KB | HT213258 |
CVE-2022-26764, also known as tlbFail, is a Page Protection Layer (PPL) bypass used in Fugu15.
Background
Page tables store translations between virtual memory and physical memory. When you allocate memory inside a process, you are given a virtual address, but the actual address in physical memory will be different. If you allocate one contiguous region of virtual memory that spans multiple pages, the physical pages may be in different places (fragmented).
The Translation Lookaside Buffer (TLB) caches these translations so that the memory management unit (MMU) doesn't need to traverse the page tables of a process each time if it needs to translate the same address twice. When page tables are updated, the TLB should be flushed, because it may be caching translations which are no longer valid.
Nested page tables
The dyld_shared_cache is mapped into every process through its own set of page tables. Instead of creating new page tables for each process (which would consume a large amount of memory), XNU allows you to "nest" page tables. This means that, for each process, the dyld_shared_cache's page tables act as regular page tables. In reality, they are the same page tables available to every other process in the system - they are just linked to each process through its pmap
structure.
The vulnerability
When a page table entry is removed, the TLB should be flushed. However, when a nested page table entry is removed through an application's pmap (and not through the process from which the nested page table originally came), the TLB would not be flushed for other processes that had the page table nested. The gist of how the bug can be exploited looks like this:
- Applications A and B have page table A nested inside their pmap
- Application B removes an entry in the nested table corresponding to page X
- The cached translation for page X is removed from the TLB for application B
- The cached translation for page X is not removed from the TLB for application A
- Application A can still access page X, even though it is no longer mapped into the process
Through the use of a kernel call primitive (using a PAC bypass), an attacker can mark this page as a PPL page, meaning it can then be reused as a page table. Application A can still access this page and thus manipulate page table entries at will. If you can control page tables, PPL is defeated.
External links
- Fugu15 - The Journey to Jailbreaking iOS 15.4.1, presented by Linus Henze at OBTS 5.0
- tlbFail source from Fugu15