Title: [235307] releases/WebKitGTK/webkit-2.22/Source/_javascript_Core
- Revision
- 235307
- Author
- [email protected]
- Date
- 2018-08-24 01:10:37 -0700 (Fri, 24 Aug 2018)
Log Message
Merge r235160 - [JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556
Reviewed by Saam Barati.
To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (235306 => 235307)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-08-24 08:10:32 UTC (rev 235306)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-08-24 08:10:37 UTC (rev 235307)
@@ -1,3 +1,19 @@
+2018-08-19 Yusuke Suzuki <[email protected]>
+
+ [JSC] Should not rotate constant with 64
+ https://bugs.webkit.org/show_bug.cgi?id=188556
+
+ Reviewed by Saam Barati.
+
+ To defend against JIT splaying, we rotate a constant with a randomly generated seed.
+ But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
+ where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
+ the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
+
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::generateRotationSeed):
+ (JSC::MacroAssembler::rotationBlindConstant):
+
2018-08-20 Saam barati <[email protected]>
Inline DataView accesses into DFG/FTL
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/assembler/MacroAssembler.h (235306 => 235307)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-24 08:10:32 UTC (rev 235306)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-24 08:10:37 UTC (rev 235307)
@@ -1290,6 +1290,13 @@
return shouldBlindPointerForSpecificArch(value);
}
+
+ uint8_t generateRotationSeed(size_t widthInBits)
+ {
+ // Generate the seed in [1, widthInBits - 1]. We should not generate widthInBits or 0
+ // since it leads to `<< widthInBits` or `>> widthInBits`, which cause undefined behaviors.
+ return (random() % (widthInBits - 1)) + 1;
+ }
struct RotatedImmPtr {
RotatedImmPtr(uintptr_t v1, uint8_t v2)
@@ -1303,7 +1310,7 @@
RotatedImmPtr rotationBlindConstant(ImmPtr imm)
{
- uint8_t rotation = random() % (sizeof(void*) * 8);
+ uint8_t rotation = generateRotationSeed(sizeof(void*) * 8);
uintptr_t value = imm.asTrustedImmPtr().asIntptr();
value = (value << rotation) | (value >> (sizeof(void*) * 8 - rotation));
return RotatedImmPtr(value, rotation);
@@ -1371,7 +1378,7 @@
RotatedImm64 rotationBlindConstant(Imm64 imm)
{
- uint8_t rotation = random() % (sizeof(int64_t) * 8);
+ uint8_t rotation = generateRotationSeed(sizeof(int64_t) * 8);
uint64_t value = imm.asTrustedImm64().m_value;
value = (value << rotation) | (value >> (sizeof(int64_t) * 8 - rotation));
return RotatedImm64(value, rotation);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
