Closed Bug 1648885 Opened 5 years ago Closed 5 years ago

Perform Spectre mitigations for WebAssembly on Cranelift/ARM64

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla80

Tracking Flags:

Tracking

Status

firefox80

---

fixed

People

(Reporter: cfallin, Assigned: cfallin)

References

Details

Attachments

(1 file)

Bug 1648885 and Bug 1649432: vendor latest Cranelift to get Spectre mitigations and fix fuzzbug. r=bbouvier 5 years ago Chris Fallin [:cfallin] 47 bytes, text/x-phabricator-request		Details \| Review

Chris Fallin [:cfallin]

Assignee

Description

•

5 years ago

We need to Spectre-proof the heap bounds check for WebAssembly running on Cranelift on ARM64 (aarch64).

As per conversations with :bbouvier, it seems this should involve simply replicating the conditional-move protection that is seen in the ARM64 MacroAssembler's bounds-check code.

This work will entail landing a PR in Cranelift first, then updating our vendored version of Cranelift here.

Chris Fallin [:cfallin]

Assignee

Comment 1

•

5 years ago

A PR is open for Cranelift here (#1930).

Lars T Hansen [:lth]

Updated

•

5 years ago

Severity: -- → S3

Priority: -- → P1

Chris Fallin [:cfallin]

Assignee

Comment 2

•

5 years ago

Attached file Bug 1648885 and Bug 1649432: vendor latest Cranelift to get Spectre mitigations and fix fuzzbug. r=bbouvier — Details

This patch pulls in Cranelift revision
0a59a321bdecb6ddaab12c9097532cdb31f241f1, which incorporates several
relevant changes:

It includes the Spectre mitigation for explicit heap bounds checks
merged in PR bytecodealliance/wasmtime#1930, resolving Bug 1648885.
It includes the fix for an out-of-bounds subtraction on large shift
amounts merged in PR bytecodealliance/wasmtime#1954, resolving Bug
1649432.

In order to adapt to the new Cranelift version's slight API changes in
the FuncEnvironment, we need to pull in cranelift-frontend as a
dependency (its type FunctionBuilder appears in the API now).

We also need to temporarily disable the wasm/limits.js jit-test
on Cranelift configurations because it now needs shared memory to work,
and the Cranelift backend does not support this yet. Given that this
should be ready in the next month at most (requires atomics support on
AArch64, which is currently being examined), it seems simpler to
temporarily disable the test on aarch64 than to try to disentangle the
bits that depend on shared memories explicitly.

Chris Fallin [:cfallin]

Assignee

Comment 3

•

5 years ago

Adding dep to Bug 1649929; fixing the breakage would be a better solution than just disabling wasm/limits.js.

Depends on: 1649929

Chris Fallin [:cfallin]

Assignee

Updated

•

5 years ago

Blocks: 1649932

Benjamin Bouvier [:bbouvier] (inactive)

Updated

•

5 years ago

Blocks: 1650038

Pulsebot

Comment 4

•

5 years ago

Pushed by cfallin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/da778e8edbdc and Bug 1649432: vendor latest Cranelift to get Spectre mitigations and fix fuzzbug. r=bbouvier

Cristian Brindusan [:cbrindusan]

Comment 5

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/da778e8edbdc

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox80: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla80

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Perform Spectre mitigations for WebAssembly on Cranelift/ARM64

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Tracking

()

People

(Reporter: cfallin, Assigned: cfallin)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Updated

Updated

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type