Temporally add Spectre mitigation patch

2026-03-14 23:16:48 +01:00 · 2018-01-07 14:28:48 +01:00 · 2018-01-07 14:28:48 +01:00 · 0c2405e51a
commit 0c2405e51a
parent a0c77be0e9
3 changed files with 60 additions and 4 deletions
--- a/.SRCINFO
+++ b/.SRCINFO
@ -1,7 +1,7 @@
 pkgbase = icecat
 	pkgdesc = GNU version of the Firefox browser.
 	pkgver = 52.3.0
-	pkgrel = 2
+	pkgrel = 3
 	url = http://www.gnu.org/software/gnuzilla/
 	arch = i686
 	arch = x86_64
@ -51,6 +51,7 @@ pkgbase = icecat
 	source = clip-ft-glyph-52esr.diff
 	source = harmony-fix.diff
 	source = glibc-2.26-fix.diff
+	source = icecat-bug-1427870-spectre-mitigation.patch
 	validpgpkeys = A57369A8BABC2542B5A0368C3C76EED7D7E04784
 	sha256sums = 699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302
 	sha256sums = SKIP
@ -63,6 +64,7 @@ pkgbase = icecat
 	sha256sums = dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a
 	sha256sums = 16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d
 	sha256sums = cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8
+	sha256sums = 8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129

 pkgname = icecat

--- a/11
+++ b/11
@ -9,7 +9,7 @@ pkgname=icecat
 pkgver=52.3.0
 _pkgver=${pkgver}-gnu1
 _pkgverbase=${pkgver%%.*}
-pkgrel=2
+pkgrel=3
 pkgdesc="GNU version of the Firefox browser."
 arch=(i686 x86_64)
 url="http://www.gnu.org/software/gnuzilla/"
@ -27,7 +27,8 @@ source=(http://ftpmirror.gnu.org/gnuzilla/${pkgver}/${pkgname}-${_pkgver}.tar.bz
 #source=(http://jenkins.trisquel.info/icecat/${pkgname}-${_pkgver}.tar.bz2      ## Official developer (Ruben Rodriguez) site. Probably only has developer releases.
        mozconfig icecat.desktop icecat-safe.desktop vendor.js
        fix-wifi-scanner.diff no-crmf.diff
-		clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff)
+		clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff
+        icecat-bug-1427870-spectre-mitigation.patch)

 sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302'
            'SKIP'
@ -39,7 +40,8 @@ sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302'
            'ada119174a2a1779c4195a1b4506e8ae67c49c5306103158805a390237acc1c6'
            'dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a'
            '16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d'
-            'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8')
+            'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8'
+            '8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129')

 validpgpkeys=(A57369A8BABC2542B5A0368C3C76EED7D7E04784) # Ruben Rodriguez (GNU IceCat releases key) <ruben@gnu.org>

@ -67,6 +69,9 @@ prepare() {
  # https://bugzilla.mozilla.org/show_bug.cgi?id=1400721
  patch -Np1 -i ../harmony-fix.diff

+  # mitigation to Spectre for GNU IceCat. It's best this than nothing until official patches will be posted
+  patch -Np1 -i ../icecat-bug-1427870-spectre-mitigation.patch
+
  msg2 "Starting build..."

  cp -v ${srcdir}/mozconfig .mozconfig
--- a/icecat-bug-1427870-spectre-mitigation.patch
+++ b/icecat-bug-1427870-spectre-mitigation.patch
@ -0,0 +1,49 @@
+Mitigate Spectre by reducing the resolution of performance.now() to 20
+microseconds.  Based on:
+
+  https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8
+
+For more details, see:
+
+  https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
+
+This patch was modified to apply cleanly to GNU IceCat.
+
+
+# HG changeset patch
+# User Tom Ritter <tom@mozilla.com>
+# Date 1514660820 21600
+# Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6
+# Parent  6caa457ebedc915b43dc1d054b8fe22e82ca7447
+Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard
+
+The comment about workers was introduced in Bug 1186489 but became obsolete some time after that
+(definitely by Bug 1278838)
+
+diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp
+--- a/dom/performance/Performance.cpp
+++ b/dom/performance/Performance.cpp
+@@ -234,20 +234,19 @@ Performance::ClearResourceTimings()
+ {
+   MOZ_ASSERT(NS_IsMainThread());
+   mResourceEntries.Clear();
+ }
+ 
+ DOMHighResTimeStamp
+ Performance::RoundTime(double aTime) const
+ {
+-  // Round down to the nearest 5us, because if the timer is too accurate people
+-  // can do nasty timing attacks with it.  See similar code in the worker
+-  // Performance implementation.
+-  const double maxResolutionMs = 0.005;
+  // Round down to the nearest 20us, because if the timer is too accurate people
+  // can do nasty timing attacks with it.
+  const double maxResolutionMs = 0.020;
+   return floor(aTime / maxResolutionMs) * maxResolutionMs;
+ }
+ 
+ 
+ void
+ Performance::Mark(const nsAString& aName, ErrorResult& aRv)
+ {
+   // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003.