Why do two invalidate operations cause security hole？

[baimengwei]

quote：

Until a modified cache block has updated memory, a CBO.INVAL instruction may expose stale data values in memory if the CSRs are programmed to perform an invalidate operation. This behavior may result in a security hole if lower privileged level software performs an invalidate operation and accesses sensitive information in memory.

https://github.com/riscv/riscv-CMOs/blob/ce72670f9843d94952c685346cf52d43b969ccdf/cmobase/csr_state.adoc。

A scene I guess is like this：

1. In the machine mode, execute the cbo.inval instruction for an address (such as 0x83000000), and some data(0x1234) in the cache corresponding to the address is invalid
2. Switch to the user mode and execute the cbo.inval instruction for the same address (such as 0x83000000). Similarly, some data in the cache corresponding to this address is invalid. User mode does not get data 0x1234

So why does it lead to security hole when users access sensitive data?

[ingallsj]

Adjusting your example, the scenario is:

1. Some sensitive data (0x1234) is written to a physical address (such as 0x83000000) in backing memory.
2. Some new sanitizing data (0x0000) is written to that same physical address in a (write-back) cache.
3. Execute the cbo.inval instruction for the same address (such as 0x83000000), so that the sanitizing data (0x0000) is discarded (not written back) from the cache.
4. Execute a load for the same address (such as 0x83000000), which reads the old sensitive data (0x1234) from backing memory.

[baimengwei]

thanks 👍