Closed
Bug 1438881
Opened 7 years ago
Closed 6 years ago
Apply CFG to Jit Emissions
Categories
(Core :: JavaScript Engine: JIT, enhancement, P2)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | fix-optional |
People
(Reporter: tjr, Unassigned)
References
Details
If we don't tell the process what is a valid call target when we emit JIT code, everything's valid.
From https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
You also have the option of dynamically controlling the set of icall target addresses that are considered valid by CFG using the SetProcessValidCallTargets from the Memory Management API. The same API can be used to specify whether pages are invalid or valid targets for CFG. The VirtualProtect and VirtualAlloc functions will by default treat a specified region of executable and committed pages as valid indirect call targets. It is possible to override this behavior, such as when implementing a Just-in-Time compiler, by specifying PAGE_TARGETS_INVALID when calling VirtualAlloc or PAGE_TARGETS_NO_UPDATE when calling VirtualProtect as detailed under Memory Protection Constants.
|
||
Updated•7 years ago
|
status-firefox60:
--- → fix-optional
Priority: -- → P2
|
|
||
Comment 1•7 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #0)
> If we don't tell the process what is a valid call target when we emit JIT
> code, everything's valid.
Do we have CFG enabled for the rest of the binary? Otherwise this sounds pointless to only do it in the JIT, knowing that somebody who control the rest of the browser can just jump in the middle of anywhere, and thus skip these control flow guards.
Do we have a bug for tracking CFG for the rest of the binary?
Flags: needinfo?(tom)
|
||
Comment 2•7 years ago
|
||
Right now we enable CFG on mozglue, bug 1438876 tracks applying it to all libraries.
It seems like there's really two JIT related CFG tasks:
a) Marking which entrypoints are valid, so you can't just jump to anywhere in the JIT-code buffer
b) Applying CFG checks to virtual calls the JIT performs
|
|
||
Comment 3•7 years ago
|
||
Thanks Alex.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #2)
> Right now we enable CFG on mozglue, bug 1438876 tracks applying it to all
> libraries.
>
> It seems like there's really two JIT related CFG tasks:
>
> a) Marking which entrypoints are valid, so you can't just jump to anywhere
> in the JIT-code buffer
This implies that our C++ code does the same safety checks to not jump into Jit code.
> b) Applying CFG checks to virtual calls the JIT performs
This should be doable, I am going to look at the same areas with Bug 1437130.
Flags: needinfo?(tom)
|
|
||
Comment 4•7 years ago
|
||
For (a), that's correct. The thing the JIT needs to do is pass |PAGE_TARGETS_INVALID| to |VirtualAlloc| and then call |SetProcessValidCallTargets| with the valid targets.
|
Reporter | |
Comment 5•6 years ago
|
||
Until/Unless clang support improves, this cannot be done. See Bug 1485016 for more.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•