blob: a60997fadbc97c136b817f782cf4d367db9a2d61 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
---
breadcrumbs:
- - /chromium-os
- Chromium OS
page_name: glitch-vulnerability-status
title: GLitch vulnerability status
---
## Vulnerability description
The [GLitch
vulnerability](https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf) uses
timing information gathered from the GPU to execute a
[Rowhammer-style](https://en.wikipedia.org/wiki/Row_hammer) bit-flip attack.
High-precision GPU timers can be used from an untrusted web page via WebGL to
determine the physical layout of memory pages. GL shaders running on the GPU are
then used to cause bit flips in CPU-accessible DRAM on unified memory
architecture GPUs.
Successful exploitation would enable an attacker to escalate privileges from
Javascript. This has been demonstrated to allow arbitrary code execution within
the Chrome sandbox.
## Chrome OS response
Chrome OS 65, released to the stable channel on [April 5,
2018](https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-chrome-os.html),
mitigates the remote vector of the GLitch vulnerability on all Chrome OS devices
by removing access to high-precision WebGL timers. Users can [enable Site
Isolation](http://www.chromium.org/Home/chromium-security/site-isolation) for
further protection.
## Affected devices
Chrome OS Intel devices are protected against GLitch and other Rowhammer-style
bit flips by either using double refresh; or TRR on DDR4 RAM, if supported.
Chrome OS ARM devices use DDR3 RAM, which is theoretically vulnerable to
Rowhammer-style attacks; however, bit flips have not been reproduced on these
devices. No further action is necessary for Chrome OS ARM devices at the moment.
|
