PACCage should first cage leaving PAC bits intact then authenticate
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Jul 2019 07:00:14 +0000 (07:00 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Jul 2019 07:00:14 +0000 (07:00 +0000)
commitb2df815a36cd260168771fc94946ce515e23d3a4
treed82f4d9e42a2bccad36951a24dc66a6b534ff7ef
parentb7150e97d870c0ad270510987bcdba756d17af08
PACCage should first cage leaving PAC bits intact then authenticate
https://bugs.webkit.org/show_bug.cgi?id=199372

Reviewed by Saam Barati.

Source/bmalloc:

* bmalloc/ProcessCheck.mm:
(bmalloc::shouldProcessUnconditionallyUseBmalloc):

Source/JavaScriptCore:

This ordering prevents someone from taking a signed pointer from
outside the gigacage and using it in a struct that expects a caged
pointer. Previously, the PACCaging just double checked that the PAC
bits were valid for the original pointer.

       +---------------------------+
       |       |        |          |
       | "PAC" | "base" | "offset" +----+
       |       |        |          |    |
       +---------------------------+    | Caging
        |                               |
        |                               |
        |                               v
        |                +---------------------------+
        |                |       |        |          |
        | Bit Merge      | 00000 |  base  | "offset" |
        |                |       |        |          |
        |                +---------------------------+
        |                               |
        |                               |
        v                               |  Bit Merge
  +---------------------------+         |
  |       |        |          |         |
  | "PAC" |  base  | "offset" +<--------+
  |       |        |          |
  +---------------------------+
              |
              |
              | Authenticate
              |
              v
  +---------------------------+
  |       |        |          |
  | Auth  |  base  | "offset" |
  |       |        |          |
  +---------------------------+

The above ascii art graph shows how the PACCage system works. The
key take away is that even if someone passes in a valid, signed
pointer outside the cage it will still fail to authenticate as the
"base" bits will change before authentication.

* assembler/MacroAssemblerARM64E.h:
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageConditionally):
* llint/LowLevelInterpreter64.asm:

Source/WTF:

* wtf/CagedPtr.h:
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::mergePointers):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247041 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
Source/JavaScriptCore/assembler/testmasm.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/WTF/ChangeLog
Source/WTF/wtf/CagedPtr.h
Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/ProcessCheck.mm