Commit 0484e1f9 authored by Eric Holk's avatar Eric Holk Committed by Commit Bot

[wasm] add masking for call_indirect

Bug: chromium:798964
Change-Id: I5452775388addb5f4647297d190d88a45eec19bd
Reviewed-on: https://chromium-review.googlesource.com/869134
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50694}
parent a0935c1d
......@@ -2509,6 +2509,20 @@ Node* WasmGraphBuilder::CallIndirect(uint32_t sig_index, Node** args,
Node* size = function_tables_[table_index].size;
Node* in_bounds = graph()->NewNode(machine->Uint32LessThan(), key, size);
TrapIfFalse(wasm::kTrapFuncInvalid, in_bounds, position);
// Mask the key to prevent SSCA.
if (untrusted_code_mitigations_) {
// mask = ((key - size) & ~key) >> 31
Node* neg_key =
graph()->NewNode(machine->Word32Xor(), key, Int32Constant(-1));
Node* masked_diff = graph()->NewNode(
machine->Word32And(), graph()->NewNode(machine->Int32Sub(), key, size),
neg_key);
Node* mask =
graph()->NewNode(machine->Word32Sar(), masked_diff, Int32Constant(31));
key = graph()->NewNode(machine->Word32And(), key, mask);
}
Node* table_address = function_tables_[table_index].table_addr;
Node* table = graph()->NewNode(
jsgraph()->machine()->Load(MachineType::AnyTagged()), table_address,
......
......@@ -987,12 +987,34 @@ class CodeMap {
}
InterpreterCode* GetIndirectCode(uint32_t table_index, uint32_t entry_index) {
uint32_t saved_index;
USE(saved_index);
if (table_index >= module_->function_tables.size()) return nullptr;
// Mask table index for SSCA mitigation.
saved_index = table_index;
table_index &=
static_cast<int32_t>((table_index - module_->function_tables.size()) &
~static_cast<int32_t>(table_index)) >>
31;
DCHECK_EQ(table_index, saved_index);
const WasmIndirectFunctionTable* table =
&module_->function_tables[table_index];
if (entry_index >= table->values.size()) return nullptr;
// Mask entry_index for SSCA mitigation.
saved_index = entry_index;
entry_index &= static_cast<int32_t>((entry_index - table->values.size()) &
~static_cast<int32_t>(entry_index)) >>
31;
DCHECK_EQ(entry_index, saved_index);
uint32_t index = table->values[entry_index];
if (index >= interpreter_code_.size()) return nullptr;
// Mask index for SSCA mitigation.
saved_index = index;
index &= static_cast<int32_t>((index - interpreter_code_.size()) &
~static_cast<int32_t>(index)) >>
31;
DCHECK_EQ(index, saved_index);
return GetCode(index);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment