Changeset 224811 in webkit

Timestamp:

Nov 14, 2017 1:08:06 AM (7 years ago)

Author:

sbarati@apple.com

Message:

Make the gigacage runway 32GB
​https://bugs.webkit.org/show_bug.cgi?id=175062

Reviewed by Mark Lam.

Making the gigacage runway 32GB defends us against buffer overflows in the
cage reaching memory outside the cage assuming indices are 32-bit unsigned
integers and the type they're indexing into has size <= 8 bytes. This is
exactly the case for many things in JSC. For example, butterfly access in
JSC meet this criteria, as does typed array access.

The 32GB comes from 8 * 2^{32 = 32GB.}

• bmalloc/Gigacage.cpp:

Location:

trunk/Source/bmalloc

Files:

• ChangeLog (modified) (1 diff)
• bmalloc/Gigacage.cpp (modified) (1 diff)

trunk/Source/bmalloc/ChangeLog

@@ +1 @@
+2017-11-14  Saam Barati  <sbarati@apple.com>
+
+        Make the gigacage runway 32GB
+        https://bugs.webkit.org/show_bug.cgi?id=175062
+
+        Reviewed by Mark Lam.
+
+        Making the gigacage runway 32GB defends us against buffer overflows in the
+        cage reaching memory outside the cage assuming indices are 32-bit unsigned
+        integers and the type they're indexing into has size <= 8 bytes. This is
+        exactly the case for many things in JSC. For example, butterfly access in
+        JSC meet this criteria, as does typed array access.
+        
+        The 32GB comes from 8 * 2^32 = 32GB.
+
+        * bmalloc/Gigacage.cpp:
+
 2017-11-08  Michael Catanzaro  <mcatanzaro@igalia.com>
 

trunk/Source/bmalloc/bmalloc/Gigacage.cpp

@@ -40 +40 @@
 #define GIGACAGE_RUNWAY 0
 #else
-// FIXME: Consider making this 32GB, in case unsigned 32-bit indices find their way into indexed accesses.
-// https://bugs.webkit.org/show_bug.cgi?id=175062
-#define GIGACAGE_RUNWAY (16llu * 1024 * 1024 * 1024)
+#define GIGACAGE_RUNWAY (32llu * 1024 * 1024 * 1024)
 #endif