Title: [234852] trunk/Source/_javascript_Core
- Revision
- 234852
- Author
- [email protected]
- Date
- 2018-08-14 10:16:31 -0700 (Tue, 14 Aug 2018)
Log Message
[JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556
Reviewed by Mark Lam.
To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64, the following code performs `value << 64` where value's type
is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
range of [0, 64) not to generate code causing UBs. This is found by UBSan.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (234851 => 234852)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-14 17:12:14 UTC (rev 234851)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-14 17:16:31 UTC (rev 234852)
@@ -1,3 +1,19 @@
+2018-08-14 Yusuke Suzuki <[email protected]>
+
+ [JSC] Should not rotate constant with 64
+ https://bugs.webkit.org/show_bug.cgi?id=188556
+
+ Reviewed by Mark Lam.
+
+ To defend against JIT splaying, we rotate a constant with a randomly generated seed.
+ But if a seed becomes 64, the following code performs `value << 64` where value's type
+ is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
+ range of [0, 64) not to generate code causing UBs. This is found by UBSan.
+
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::generateRotationSeed):
+ (JSC::MacroAssembler::rotationBlindConstant):
+
2018-08-12 Karo Gyoker <[email protected]>
Disable JIT on IA-32 without SSE2
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.h (234851 => 234852)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-14 17:12:14 UTC (rev 234851)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-14 17:16:31 UTC (rev 234852)
@@ -1290,6 +1290,13 @@
return shouldBlindPointerForSpecificArch(value);
}
+
+ uint8_t generateRotationSeed(size_t widthInBits)
+ {
+ // Generate the seed in [0, widthInBits). We should not generate widthInBits
+ // since it leads to `<< widthInBits`, which is an undefined behavior.
+ return random() % (widthInBits - 1);
+ }
struct RotatedImmPtr {
RotatedImmPtr(uintptr_t v1, uint8_t v2)
@@ -1303,7 +1310,7 @@
RotatedImmPtr rotationBlindConstant(ImmPtr imm)
{
- uint8_t rotation = random() % (sizeof(void*) * 8);
+ uint8_t rotation = generateRotationSeed(sizeof(void*) * 8);
uintptr_t value = imm.asTrustedImmPtr().asIntptr();
value = (value << rotation) | (value >> (sizeof(void*) * 8 - rotation));
return RotatedImmPtr(value, rotation);
@@ -1371,7 +1378,7 @@
RotatedImm64 rotationBlindConstant(Imm64 imm)
{
- uint8_t rotation = random() % (sizeof(int64_t) * 8);
+ uint8_t rotation = generateRotationSeed(sizeof(int64_t) * 8);
uint64_t value = imm.asTrustedImm64().m_value;
value = (value << rotation) | (value >> (sizeof(int64_t) * 8 - rotation));
return RotatedImm64(value, rotation);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
