Add possibility to lower timer resolution
authorAnatol Belski <ab@php.net>
Wed, 10 Jan 2018 16:50:09 +0000 (17:50 +0100)
committerAnatol Belski <ab@php.net>
Wed, 10 Jan 2018 17:45:15 +0000 (18:45 +0100)
commitc3717d9aecbe65cb2e5778a24a91e9eaf638639e
tree119a27f92bd5b99f39bc4f3207a07fb4602430cd
parentf09c012ebe9ea413394fe4476b29bc790d903378
Add possibility to lower timer resolution

The recently discovered security flaw Spectre requires a high resolution
timer. To the today's knowledge, PHP can't be used to create an attack for
this flaw. Still some concerns were raised, that there might be impact in
shared hosting environments. This patch adds a possibility to reduce the
timer resolution by an ini setting, thus giving administrators full
control. Especially, as the flaw was also demonstrated by an abuse of
the JS engine in a browser, Firefox reduced several time sources to 20us.
Any programming language, that doesn't compile to JIT, won't be able to
produce an attack vector for Meltdown and Spectre, at least by todays
knowledge. There are also other factors that say that the security
concern on the hrtime feature is to the big part not justified, still we
aim JIT in the future. Thus, adding a possibility to control the timer
resolution is a good and small enough tradeoff for safety and future.
UPGRADING
ext/standard/hrtime.c
ext/standard/tests/hrtime/hrtime_ini.phpt [new file with mode: 0644]
ext/standard/tests/hrtime/hrtime_resolution.phpt [new file with mode: 0644]