Researcher Names:
Hany Ragab, Enrico Barberis, Herbert Bos and Cristiano Giuffrida
Link: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-29955
Floating Point Value Injection (FPVI) allows an attacker to inject arbitrary values into a transient execution window created by a floating-point machine clear. The attacker triggers the execution of the exploit by performing a denormal floating-point operation in the victim application, with the x and y operands under the attacker’s control. The transient z result of the operation is processed by the subsequent instructions, leaving an observable microarchitectural trace.
The exploit against Mozilla Firefox relies on an attacker-controlled transiently-injected floating-point value which triggers type confusion on the transient execution path (between String and Double types), allowing the attacker to transiently leak arbitrary memory locations. FPVI, a single floating-point operation, can compromise the whole hardware-software stack from JavaScript running in Firefox, affecting millions of clients.