Changeset 239245 in webkit


Ignore:
Timestamp:
Dec 14, 2018 7:05:59 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

Gigacage runway should immediately follow the primitive cage
https://bugs.webkit.org/show_bug.cgi?id=192733

Reviewed by Saam Barati.

This patch makes sure that the Gigacage runway is always
immediately after the primitive cage. Since writing outside the
primitive gigacage is likely to be more dangerous than the JSValue
cage. The ordering of the cages is still random however.

  • bmalloc/Gigacage.cpp:

(Gigacage::ensureGigacage):

Location:
trunk/Source/bmalloc
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/bmalloc/ChangeLog

    r239185 r239245  
     12018-12-14  Keith Miller  <keith_miller@apple.com>
     2
     3        Gigacage runway should immediately follow the primitive cage
     4        https://bugs.webkit.org/show_bug.cgi?id=192733
     5
     6        Reviewed by Saam Barati.
     7
     8        This patch makes sure that the Gigacage runway is always
     9        immediately after the primitive cage. Since writing outside the
     10        primitive gigacage is likely to be more dangerous than the JSValue
     11        cage. The ordering of the cages is still random however.
     12
     13        * bmalloc/Gigacage.cpp:
     14        (Gigacage::ensureGigacage):
     15
    1162018-12-13  Mark Lam  <mark.lam@apple.com>
    217
  • trunk/Source/bmalloc/bmalloc/Gigacage.cpp

    r230380 r239245  
    100100};
    101101
     102#if GIGACAGE_ENABLED
     103size_t runwaySize(Kind kind)
     104{
     105    switch (kind) {
     106    case Kind::Primitive:
     107        return static_cast<size_t>(GIGACAGE_RUNWAY);
     108    case Kind::JSValue:
     109        return static_cast<size_t>(0);
     110    }
     111}
     112#endif
     113
    102114} // anonymous namespace
    103115
     
    141153            for (Kind kind : shuffledKinds) {
    142154                totalSize = bump(kind, alignTo(kind, totalSize));
     155                totalSize += runwaySize(kind);
    143156                maxAlignment = std::max(maxAlignment, alignment(kind));
    144157            }
    145             totalSize += GIGACAGE_RUNWAY;
    146            
     158
    147159            // FIXME: Randomize where this goes.
    148160            // https://bugs.webkit.org/show_bug.cgi?id=175245
     
    156168            }
    157169
    158             if (GIGACAGE_RUNWAY > 0) {
    159                 char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
    160                 // Make OOB accesses into the runway crash.
    161                 vmRevokePermissions(runway, GIGACAGE_RUNWAY);
    162             }
    163 
    164             vmDeallocatePhysicalPages(base, totalSize);
    165            
    166170            size_t nextCage = 0;
    167171            for (Kind kind : shuffledKinds) {
     
    169173                basePtr(kind) = reinterpret_cast<char*>(base) + nextCage;
    170174                nextCage = bump(kind, nextCage);
    171             }
    172            
     175                if (runwaySize(kind) > 0) {
     176                    char* runway = reinterpret_cast<char*>(base) + nextCage;
     177                    // Make OOB accesses into the runway crash.
     178                    vmRevokePermissions(runway, runwaySize(kind));
     179                    nextCage += runwaySize(kind);
     180                }
     181            }
     182           
     183            vmDeallocatePhysicalPages(base, totalSize);
    173184            protectGigacageBasePtrs();
    174185            g_wasEnabled = true;
Note: See TracChangeset for help on using the changeset viewer.