Changeset 138293 in webkit


Ignore:
Timestamp:
Dec 20, 2012, 1:35:56 PM (12 years ago)
Author:
oliver@apple.com
Message:

Harden pointers in FastMalloc's singly linked list implementation
https://bugs.webkit.org/show_bug.cgi?id=105571

Reviewed by Gavin Barraclough.

Add simple xor based hardening of the next pointer in the
fast malloc singly linked list implementation. We rely on
ASLR to introduce the address randomness we want for the mask.
Happily this produces a very low cost random value to use.

  • wtf/FastMalloc.cpp:

(WTF):
(WTF::SLL_Next):
(WTF::SLL_SetNext):

Location:
trunk/Source/WTF
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WTF/ChangeLog

    r138194 r138293  
     12012-12-20  Oliver Hunt  <oliver@apple.com>
     2
     3        Harden pointers in FastMalloc's singly linked list implementation
     4        https://bugs.webkit.org/show_bug.cgi?id=105571
     5
     6        Reviewed by Gavin Barraclough.
     7
     8        Add simple xor based hardening of the next pointer in the
     9        fast malloc singly linked list implementation.  We rely on
     10        ASLR to introduce the address randomness we want for the mask.
     11        Happily this produces a very low cost random value to use.
     12
     13        * wtf/FastMalloc.cpp:
     14        (WTF):
     15        (WTF::SLL_Next):
     16        (WTF::SLL_SetNext):
     17
    1182012-12-19  Oliver Hunt  <oliver@apple.com>
    219

  • trunk/Source/WTF/wtf/FastMalloc.cpp

    r134493 r138293  
    101101#endif
    102102
     103// Harden the pointers stored in the TCMalloc linked lists
     104#if COMPILER(GCC)
     105#define ENABLE_TCMALLOC_HARDENING 1
     106#endif
     107
    103108// Use a background thread to periodically scavenge memory to release back to the system
    104109#if PLATFORM(IOS)
     
    496501#define MESSAGE LOG_ERROR
    497502#define CHECK_CONDITION ASSERT
     503
     504#if ENABLE(TCMALLOC_HARDENING)
     505/*
     506 * To make it harder to exploit use-after free style exploits
     507 * we mask the addresses we put into our linked lists with the
     508 * address of kLLHardeningMask.  Due to ASLR the address of
     509 * kLLHardeningMask should be sufficiently randomized to make direct
     510 * freelist manipulation much more difficult.
     511 */
     512static const char kLLHardeningMask = 0;
     513#define MASK_PTR(ptr) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^reinterpret_cast<uintptr_t>(&kLLHardeningMask)))
     514#define UNMASK_PTR(ptr) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^reinterpret_cast<uintptr_t>(&kLLHardeningMask)))
     515#else
     516#define MASK_PTR(ptr) (ptr)
     517#define UNMASK_PTR(ptr) (ptr)
     518#endif
     519
    498520
    499521//-------------------------------------------------------------------
     
    663685
    664686static inline void *SLL_Next(void *t) {
    665   return *(reinterpret_cast<void**>(t));
     687  return UNMASK_PTR(*(reinterpret_cast<void**>(t)));
    666688}
    667689
    668690static inline void SLL_SetNext(void *t, void *n) {
    669   *(reinterpret_cast<void**>(t)) = n;
     691  *(reinterpret_cast<void**>(t)) = MASK_PTR(n);
    670692}
    671693
Note: See TracChangeset for help on using the changeset viewer.