Closed Bug 1611085 Opened 4 years ago Closed 4 years ago

Land debug instrumentation patch from bug 1607443

Categories

(Core :: JavaScript Engine: JIT, task, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main75-])

Attachments

(1 file)

Bug 1611085 - Add some callVM debug instrumentation. r?tcampbell!
47 bytes, text/x-phabricator-request
Details | Review

Bug 1607670 landed yesterday so I think we fixed all known issues and should land the patch now to prevent regressions and to make fuzzing it easier.

Component: JavaScript Engine → JavaScript Engine: JIT
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/f6f9b389bf67

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

Jan, could you please explain what this assertion means, in a way that doesn't require understand the JITs? I read the comment that starts with "If this MIR instruction has an overridden AliasSet" but I still don't understand what this is checking or why. Thanks.

Flags: needinfo?(jdemooij)

(In reply to Andrew McCreight [:mccr8] from comment #4)

Jan, could you please explain what this assertion means, in a way that doesn't require understand the JITs? I read the comment that starts with "If this MIR instruction has an overridden AliasSet" but I still don't understand what this is checking or why. Thanks.

MIR instructions have a way to describe what side effects they have (using alias sets). The recent 0-day was caused by this information being incorrect: Ion would assume an instruction (calling into C++) could only store to object elements, but the exploit code was able to invoke arbitrary JS (via setters) breaking JIT optimizations based on the buggy alias set.

The assert added here catches the worst of these bugs: if a MIR instruction says it doesn't have all possible side-effects, then we check in debug builds that this MIR instruction cannot call into JS in any way (because calling into JS is the typical "anything can happen, we can exploit this" scenario).

I hope this helps.

Flags: needinfo?(jdemooij)

Thanks. That does help.

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main75-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: