[webkit-changes] [WebKit/WebKit] 3e3d08: Make it harder to get a PAC signing gadget in JIT ...

Mon, 20 May 2024 08:59:56 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3e3d0883c84955472ece1b2f2e63f31522c5440d
      
https://github.com/WebKit/WebKit/commit/3e3d0883c84955472ece1b2f2e63f31522c5440d
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2024-05-20 (Mon, 20 May 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Make it harder to get a PAC signing gadget in JIT code.
https://bugs.webkit.org/show_bug.cgi?id=272750
rdar://125596635

Reviewed by Yusuke Suzuki.

Right now if an attacker can control where code is allocated they can overlap 
code to create a PAC bypass.
This patch makes that harder (in the WebContent process) by only allowing 
pacibsp and pacizb. This means
that during arity fixup we now tag the return PC with pacizb. This is ok 
because we don't use the zero
diversifier for anything. For reifying inlined call frames during OSR exit 
things are a bit more complicated.
First we have be careful to only move signed return addresses into lr then 
untag them there. Also, we have
to shuffle SP to point to where it would in reified frame. This means that 
there is technically live data
below our SP, which on many OSes causes problems. Talking to our kernel folks 
however this isn't a problem
as long as we don't have any signal handlers or run lldb expressions in this 
window. We don't use signal
handlers in the WebContent process and this patch tries to limit/document the 
window of JIT code where lldb
would trash the stack.

* Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::tagPtr):
* Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
(JSC::AssemblyHelpers::transferReturnPC):
* Source/JavaScriptCore/jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* Source/JavaScriptCore/llint/LLIntThunks.cpp:
(JSC::LLInt::tagGateThunk):
(JSC::LLInt::untagGateThunk):
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/WTF/wtf/PtrTag.h:
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::initializeProcess):
* Tools/Scripts/run-jsc-stress-tests:

Originally-landed-as: f442fbe222f3. rdar://128091836
Canonical link: https://commits.webkit.org/278996@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to