Closed
Bug 1465448
Opened 6 years ago
Closed 4 years ago
Spectre mitigations for CodeGenerator::visitFunctionDispatch
Categories
(Core :: JavaScript Engine: JIT, enhancement, P2)
Core
JavaScript Engine: JIT
Tracking
()
People
(Reporter: nbp, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-sop, sec-moderate)
Spectre issues are issues where a branch is taken based on speculation instead of being based on a condition. The speculative execution can then do multiple sequential reads allowing to probe any memory's content by looking at loaded cache line of any controlled buffer.
Extracted from Bug 1452136 audit:
- branchTestObjGroupUnsafe
- CodeGenerator::visitFunctionDispatch(LFunctionDispatch* lir)
A speculative execution of the dispatch implies that we would not have loaded the "input->group()" address from "input", while taking one of these branches based on speculation.
This could cause issues if we have follow-up uses of "input" after in dominated branches. This is not frequent in common code bases therefore we could special case the clobber to only be made if the MIR instruction has uses within the non-default case.
If we do not have follow-up uses of "input" then this would be like a miss predicted branch with no option of reading data through the input register.
TODO: We should use spectre-safe variant if the mir has more uses out-side the fallback case.
Note: We could factor out the load of the object group.
Updated•6 years ago
|
Group: core-security
Updated•6 years ago
|
Keywords: sec-high → sec-moderate
Updated•5 years ago
|
Comment 1•4 years ago
|
||
Fixed by IonBuilder removal in Bug 1673553. The FunctionDispatch
type was removed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
Group: javascript-core-security → core-security-release
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•