[wasm] add masking for call_indirect

Bug: chromium:798964 Change-Id: I5452775388addb5f4647297d190d88a45eec19bd Reviewed-on: https://chromium-review.googlesource.com/869134 Commit-Queue: Eric Holk <eholk@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50694}

[wasm] add masking for call_indirect
Bug: chromium:798964 Change-Id: I5452775388addb5f4647297d190d88a45eec19bd Reviewed-on: https://chromium-review.googlesource.com/869134 Commit-Queue: Eric Holk <eholk@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50694}
0484e1f9 · Eric Holk · Commit Bot · a0935c1d · 0484e1f9 · 0484e1f9
Commit 0484e1f9 authored Jan 18, 2018 by Eric Holk Committed by Commit Bot Jan 18, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 0 deletions

wasm-compiler.cc src/compiler/wasm-compiler.cc +14 -0

wasm-interpreter.cc src/wasm/wasm-interpreter.cc +22 -0

No files found.
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2509,6 +2509,20 @@ Node* WasmGraphBuilder::CallIndirect(uint32_t sig_index, Node** args,
  Node* size = function_tables_[table_index].size;
  Node* in_bounds = graph()->NewNode(machine->Uint32LessThan(), key, size);
  TrapIfFalse(wasm::kTrapFuncInvalid, in_bounds, position);
+
+  // Mask the key to prevent SSCA.
+  if (untrusted_code_mitigations_) {
+    // mask = ((key - size) & ~key) >> 31
+    Node* neg_key =
+        graph()->NewNode(machine->Word32Xor(), key, Int32Constant(-1));
+    Node* masked_diff = graph()->NewNode(
+        machine->Word32And(), graph()->NewNode(machine->Int32Sub(), key, size),
+        neg_key);
+    Node* mask =
+        graph()->NewNode(machine->Word32Sar(), masked_diff, Int32Constant(31));
+    key = graph()->NewNode(machine->Word32And(), key, mask);
+  }
+
  Node* table_address = function_tables_[table_index].table_addr;
  Node* table = graph()->NewNode(
      jsgraph()->machine()->Load(MachineType::AnyTagged()), table_address,

--- a/src/wasm/wasm-interpreter.cc
+++ b/src/wasm/wasm-interpreter.cc
@@ -987,12 +987,34 @@ class CodeMap {
  }

  InterpreterCode* GetIndirectCode(uint32_t table_index, uint32_t entry_index) {
+    uint32_t saved_index;
+    USE(saved_index);
    if (table_index >= module_->function_tables.size()) return nullptr;
+    // Mask table index for SSCA mitigation.
+    saved_index = table_index;
+    table_index &=
+        static_cast<int32_t>((table_index - module_->function_tables.size()) &
+                             ~static_cast<int32_t>(table_index)) >>
+        31;
+    DCHECK_EQ(table_index, saved_index);
    const WasmIndirectFunctionTable* table =
        &module_->function_tables[table_index];
    if (entry_index >= table->values.size()) return nullptr;
+    // Mask entry_index for SSCA mitigation.
+    saved_index = entry_index;
+    entry_index &= static_cast<int32_t>((entry_index - table->values.size()) &
+                                        ~static_cast<int32_t>(entry_index)) >>
+                   31;
+    DCHECK_EQ(entry_index, saved_index);
    uint32_t index = table->values[entry_index];
    if (index >= interpreter_code_.size()) return nullptr;
+    // Mask index for SSCA mitigation.
+    saved_index = index;
+    index &= static_cast<int32_t>((index - interpreter_code_.size()) &
+                                  ~static_cast<int32_t>(index)) >>
+             31;
+    DCHECK_EQ(index, saved_index);
+
    return GetCode(index);
  }