Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.
tlbFail
Vulnerability in XNU
SoftwareiOS
Vulnerable in? - 15.4.1
Fixed in15.5
Disclosed16 May 2022 (2022-05-16)
Discovered byLinus Henze
CVECVE-2022-26764
Apple KBHT213258

CVE-2022-26764, also known as tlbFail, is a Page Protection Layer (PPL) bypass used in Fugu15.

Background

Page tables store translations between virtual memory and physical memory. When you allocate memory inside a process, you are given a virtual address, but the actual address in physical memory will be different. If you allocate one contiguous region of virtual memory that spans multiple pages, the physical pages may be in different places (fragmented).

The Translation Lookaside Buffer (TLB) caches these translations so that the memory management unit (MMU) doesn't need to traverse the page tables of a process each time if it needs to translate the same address twice. When page tables are updated, the TLB should be flushed, because it may be caching translations which are no longer valid.

Nested page tables

The dyld_shared_cache is mapped into every process through its own set of page tables. Instead of creating new page tables for each process (which would consume a large amount of memory), XNU allows you to "nest" page tables. This means that, for each process, the dyld_shared_cache's page tables act as regular page tables. In reality, they are the same page tables available to every other process in the system - they are just linked to each process through its pmap structure.

The vulnerability

When a page table entry is removed, the TLB should be flushed. However, when a nested page table entry is removed through an application's pmap (and not through the process from which the nested page table originally came), the TLB would not be flushed for other processes that had the page table nested. The gist of how the bug can be exploited looks like this:

  • Applications A and B have page table A nested inside their pmap
  • Application B removes an entry in the nested table corresponding to page X
  • The cached translation for page X is removed from the TLB for application B
  • The cached translation for page X is not removed from the TLB for application A
  • Application A can still access page X, even though it is no longer mapped into the process

Through the use of a kernel call primitive (using a PAC bypass), an attacker can mark this page as a PPL page, meaning it can then be reused as a page table. Application A can still access this page and thus manipulate page table entries at will. If you can control page tables, PPL is defeated.

External links