CVE-2021-29955: 
NixOS vulnerability analysis and mitigation

A transient execution vulnerability known as Floating Point Value Injection (FPVI) was discovered in Firefox and Firefox ESR browsers. The vulnerability, tracked as CVE-2021-29955, was identified by researchers Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam. The issue affected Firefox versions prior to 87 and Firefox ESR versions before 78.9, allowing attackers to leak arbitrary memory addresses and potentially enable JIT type confusion attacks (Mozilla Advisory, NVD).

FPVI is a transient execution vulnerability that exploits floating-point operations in the browser's JavaScript engine. The vulnerability affects all add, subtract, multiply, and divide operations of x87, SSE, or AVX instructions on floating-point numbers. The attack leverages NaN-boxing vulnerabilities to generate transient FP results in the form 0xfffXXXXXXXXXXXXX, which can lead to type confusion attacks. The vulnerability received a CVSS v3.1 base score of 5.3 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD, Mozilla Bug).

The vulnerability could allow attackers to leak arbitrary memory addresses through transient execution attacks. Particularly concerning was the ability to perform type confusion attacks in the JIT compiler, which could lead to information disclosure. The attack could be leveraged to access sensitive memory contents, though the exploitation would be slowed by existing timer mitigations (Mozilla Advisory).

Mozilla addressed the vulnerability in Firefox 87 and Firefox ESR 78.9. The long-term mitigation strategy relied on the deployment of Project Fission. Short-term mitigations included implementing conditional masking at the double-to-Value boxing step in the JIT compiler and adding fence instructions before string operations. The existing timer mitigations in Firefox also helped reduce the effectiveness of potential exploits (Mozilla Advisory, Mozilla Bug).