<div dir="auto">It would be best to ask the dev-js list. <a href="https://lists.mozilla.org/listinfo/dev-tech-js-engine">https://lists.mozilla.org/listinfo/dev-tech-js-engine</a><div dir="auto"><br></div><div dir="auto">Kevin Brosnan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Jan 9, 2018 16:14, "Luis Longeri" <<a href="mailto:llongeri@gmail.com">llongeri@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div><br></div><div>Last night I stumble into the Mealtdown and Spectre exploits news and read the papers, didn't sleep much. So I decided to see what could be done to get better Javascript protection against speculative buffer overruns.<br></div><div><br></div><div>I have wanted to check this out for some time but at last, I downloaded Firefox source code today and I started to figure out if some protections could be added. This is just dev poking around and I would like to ask if I am at least in the right direction.</div><div><br></div><div>I briefly when over the code and I figure that NativeObject.h seems to declare array indexing code used at least from the Javascript interpreter. So I made the following changes that I understand should cut short any speculative buffer overrun at least in these patched functions. I know this has performance issues but it is just a test.<br></div><div><br></div><div>I compiled this and I am running Firefox in safe mode (from what I gather this disables the jit compiler which I haven't even begin to look at).</div><div><br></div><div>I would like to ask if at least I am in the right direction or am I way off course.<br></div><div><br></div><div>diff -r f78a83244fbe js/src/vm/NativeObject.h<br>--- a/js/src/vm/NativeObject.h Thu Jan 04 11:44:30 2018 +0200<br>+++ b/js/src/vm/NativeObject.h Thu Jan 04 16:05:11 2018 -0300<br>@@ -496,11 +496,13 @@<br> return HeapSlotArray(elements_, true);<br> }<br> const Value& getDenseElement(uint32_t idx) const {<br>- MOZ_ASSERT(idx < getDenseInitializedLength());<br>- return elements_[idx];<br>+ uint32_t len = getDenseInitializedLength();<br>+ MOZ_ASSERT(idx < len);<br>+ return elements_[idx % len];<br> }<br> bool containsDenseElement(uint32_t idx) {<br>- return idx < getDenseInitializedLength() && !elements_[idx].isMagic(JS_<wbr>ELEMENTS_HOLE);<br>+ uint32_t len = getDenseInitializedLength();<br>+ return idx < len && !elements_[idx % len].isMagic(JS_ELEMENTS_HOLE)<wbr>;<br> }<br> uint32_t getDenseInitializedLength() const {<br> return getElementsHeader()-><wbr>initializedLength;<br>@@ -1196,9 +1198,11 @@<br> // objects, but should only be called in a few places, and should be<br> // audited carefully!<br> void setDenseElementUnchecked(<wbr>uint32_t index, const Value& val) {<br>- MOZ_ASSERT(index < getDenseInitializedLength());<br>+ uint32_t len = getDenseInitializedLength();<br>+ MOZ_ASSERT(index < len);<br> MOZ_ASSERT(!<wbr>denseElementsAreCopyOnWrite())<wbr>;<br> checkStoredValue(val);<br>+ index %= len;<br> elements_[index].set(this, HeapSlot::Element, unshiftedIndex(index), val);<br> }<br> <br>@@ -1217,10 +1221,12 @@<br> }<br> <br> void initDenseElement(uint32_t index, const Value& val) {<br>- MOZ_ASSERT(index < getDenseInitializedLength());<br>+ uint32_t len = getDenseInitializedLength();<br>+ MOZ_ASSERT(index < len);<br> MOZ_ASSERT(!<wbr>denseElementsAreCopyOnWrite())<wbr>;<br> MOZ_ASSERT(!<wbr>denseElementsAreFrozen());<br> checkStoredValue(val);<br>+ index %= len;<br> elements_[index].init(this, HeapSlot::Element, unshiftedIndex(index), val);<br> }<br> </div><div><br></div><div>Regards,</div><div>llongeri<br></div></div>
<br>______________________________<wbr>_________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/<wbr>listinfo/firefox-dev</a><br>
<br></blockquote></div></div>