Researcher Name: Hany Ragab, Enrico Barberis, Herbert Bos and Cristiano Giuffrida (VUSEC)
Link:
- https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-29955
- https://www.vusec.net/projects/fpvi-scsb/
Floating Point Value Injection (FPVI), is a new form of speculative execution attack on Intel processors. It allows an attacker to inject arbitrary values into a transient execution window created by a floating-point machine clear. The attacker triggers the execution of the exploit by performing a denormal floating-point operation in the victim application, with the x and y operands under the attacker’s control. The transient z result of the operation is processed by the subsequent instructions, leaving an observable microarchitectural trace. Our exploit in Mozilla Firefox relies on an attacker-controlled transiently-injected floating-point value which triggers type confusion on the transient execution path (between String and Double types), allowing the attacker to transiently leak arbitrary memory locations.