-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick f442fbe222f3. rdar://126892345
Make it harder to get a PAC signing gadget in JIT code. https://bugs.webkit.org/show_bug.cgi?id=272750 rdar://125596635 Reviewed by Yusuke Suzuki. Right now if an attacker can control where code is allocated they can overlap code to create a PAC bypass. This patch makes that harder (in the WebContent process) by only allowing pacibsp and pacizb. This means that during arity fixup we now tag the return PC with pacizb. This is ok because we don't use the zero diversifier for anything. For reifying inlined call frames during OSR exit things are a bit more complicated. First we have be careful to only move signed return addresses into lr then untag them there. Also, we have to shuffle SP to point to where it would in reified frame. This means that there is technically live data below our SP, which on many OSes causes problems. Talking to our kernel folks however this isn't a problem as long as we don't have any signal handlers or run lldb expressions in this window. We don't use signal handlers in the WebContent process and this patch tries to limit/document the window of JIT code where lldb would trash the stack. * Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagPtr): * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): (JSC::AssemblyHelpers::transferReturnPC): * Source/JavaScriptCore/jit/ThunkGenerators.cpp: (JSC::arityFixupGenerator): * Source/JavaScriptCore/llint/LLIntThunks.cpp: (JSC::LLInt::tagGateThunk): (JSC::LLInt::untagGateThunk): * Source/JavaScriptCore/runtime/OptionsList.h: * Source/WTF/wtf/PtrTag.h: * Source/WebKit/WebProcess/WebProcess.cpp: (WebKit::WebProcess::initializeProcess): * Tools/Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch Canonical link: https://commits.webkit.org/277149.25@safari-7619.1.9-branch
- Loading branch information
Showing
9 changed files
with
118 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters