WebKit Bugzilla
Attachment 347080 Details for
Bug 188556
: [JSC] Should not rotate constant with 64
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188556-20180815011312.patch (text/plain), 2.78 KB, created by
Yusuke Suzuki
on 2018-08-14 09:13:13 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-08-14 09:13:13 PDT
Size:
2.78 KB
patch
obsolete
>Subversion Revision: 234847 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index dfea2857d6c330b232bd5d6ced981e34e94d6322..cf8dcf9c28db11be2f98c247037d2cf50dd73f0a 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org> >+ >+ [JSC] Should not rotate constant with 64 >+ https://bugs.webkit.org/show_bug.cgi?id=188556 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ To defend against JIT splaying, we rotate a constant with a randomly generated seed. >+ But if a seed becomes 64, the following code performs `value << 64` where value's type >+ is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the >+ range of [0, 64) not to generate code causing UBs. >+ >+ * assembler/MacroAssembler.h: >+ (JSC::MacroAssembler::generateRotationSeed): >+ (JSC::MacroAssembler::rotationBlindConstant): >+ > 2018-08-12 Karo Gyoker <karogyoker2+webkit@gmail.com> > > Disable JIT on IA-32 without SSE2 >diff --git a/Source/JavaScriptCore/assembler/MacroAssembler.h b/Source/JavaScriptCore/assembler/MacroAssembler.h >index 6a15a86cc1a74f209677a39f6ece908d3512412c..d3c81765e9027f67ca05823b39880808e65b5ae8 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssembler.h >+++ b/Source/JavaScriptCore/assembler/MacroAssembler.h >@@ -1290,6 +1290,13 @@ class MacroAssembler : public MacroAssemblerBase { > > return shouldBlindPointerForSpecificArch(value); > } >+ >+ uint8_t generateRotationSeed(size_t widthInBits) >+ { >+ // Generate the seed in [0, widthInBits). We should not generate widthInBits >+ // since it leads to `<< widthInBits`, which is an undefined behavior. >+ return random() % (widthInBits - 1); >+ } > > struct RotatedImmPtr { > RotatedImmPtr(uintptr_t v1, uint8_t v2) >@@ -1303,7 +1310,7 @@ class MacroAssembler : public MacroAssemblerBase { > > RotatedImmPtr rotationBlindConstant(ImmPtr imm) > { >- uint8_t rotation = random() % (sizeof(void*) * 8); >+ uint8_t rotation = generateRotationSeed(sizeof(void*) * 8); > uintptr_t value = imm.asTrustedImmPtr().asIntptr(); > value = (value << rotation) | (value >> (sizeof(void*) * 8 - rotation)); > return RotatedImmPtr(value, rotation); >@@ -1371,7 +1378,7 @@ class MacroAssembler : public MacroAssemblerBase { > > RotatedImm64 rotationBlindConstant(Imm64 imm) > { >- uint8_t rotation = random() % (sizeof(int64_t) * 8); >+ uint8_t rotation = generateRotationSeed(sizeof(int64_t) * 8); > uint64_t value = imm.asTrustedImm64().m_value; > value = (value << rotation) | (value >> (sizeof(int64_t) * 8 - rotation)); > return RotatedImm64(value, rotation);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=347080">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188556
:
347080
|
347474
|
347478