Changeset 143811 in webkit

Timestamp:

Feb 22, 2013, 3:37:20 PM (13 years ago)

Author:

jschuh@chromium.org

Message:

RenderArena masking has low entropy
​https://bugs.webkit.org/show_bug.cgi?id=110394

Reviewed by Oliver Hunt.

No new tests. This is a hardening measure.

• rendering/RenderArena.cpp:

(WebCore::RenderArena::RenderArena):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• rendering/RenderArena.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-22  Justin Schuh  <jschuh@chromium.org>
+
+        RenderArena masking has low entropy
+        https://bugs.webkit.org/show_bug.cgi?id=110394
+
+        Reviewed by Oliver Hunt.
+
+        No new tests. This is a hardening measure.
+
+        * rendering/RenderArena.cpp:
+        (WebCore::RenderArena::RenderArena):
+
 2013-02-22  Min Qin  <qinmin@chromium.org>
 

trunk/Source/WebCore/rendering/RenderArena.cpp

@@ -37 +37 @@
 #include "RenderArena.h"
 
+#include <limits>
 #include <stdlib.h>
 #include <string.h>
 #include <wtf/Assertions.h>
+#include <wtf/CryptographicallyRandomNumber.h>
 
 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
@@ -90 +92 @@
     // RenderObject pointer.
     // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
-
-    // The bottom bits are predictable because the binary is loaded on a
-    // boundary. This just shifts most of those predictable bits out.
-    m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
+    WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
+    m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::digits - 2)) | 1;
 }