Revision: 5845
Author: [email protected]
Date: Thu Nov 18 00:23:49 2010
Log: Landing for Justing Schuh.
Split out the random number state between JavaScript and private API
I've added v8::RandomPrivate() for internaly used random numbers, and pass
the state in as a parameter to a random_base function.
I still need to implement strong seeding. I already know how and will be
landing that in another patch.
BUG=http://code.google.com/p/v8/issues/detail?id=936
TEST=None.
Codereview URL: http://codereview.chromium.org/5143004
http://code.google.com/p/v8/source/detail?r=5845
Modified:
/branches/bleeding_edge/src/ia32/codegen-ia32.cc
/branches/bleeding_edge/src/platform-win32.cc
/branches/bleeding_edge/src/v8.cc
/branches/bleeding_edge/src/v8.h
=======================================
--- /branches/bleeding_edge/src/ia32/codegen-ia32.cc Wed Nov 17 05:59:07
2010
+++ /branches/bleeding_edge/src/ia32/codegen-ia32.cc Thu Nov 18 00:23:49
2010
@@ -154,7 +154,7 @@
safe_int32_mode_enabled_(true),
function_return_is_shadowed_(false),
in_spilled_code_(false),
- jit_cookie_((FLAG_mask_constants_with_cookie) ? V8::Random() : 0) {
+ jit_cookie_((FLAG_mask_constants_with_cookie) ?
V8::RandomPrivate() : 0) {
}
=======================================
--- /branches/bleeding_edge/src/platform-win32.cc Tue Oct 19 09:45:11 2010
+++ /branches/bleeding_edge/src/platform-win32.cc Thu Nov 18 00:23:49 2010
@@ -865,8 +865,9 @@
// For exectutable pages try and randomize the allocation address
if (prot == PAGE_EXECUTE_READWRITE && msize >= Page::kPageSize) {
- address = (V8::Random() << kPageSizeBits) |
kAllocationRandomAddressMin;
- address &= kAllocationRandomAddressMax;
+ address = (V8::RandomPrivate() << kPageSizeBits)
+ | kAllocationRandomAddressMin;
+ address &= kAllocationRandomAddressMax;
}
LPVOID mbase = VirtualAlloc(reinterpret_cast<void *>(address),
=======================================
--- /branches/bleeding_edge/src/v8.cc Tue Nov 16 00:01:45 2010
+++ /branches/bleeding_edge/src/v8.cc Thu Nov 18 00:23:49 2010
@@ -177,22 +177,41 @@
}
-uint32_t V8::Random() {
- // Random number generator using George Marsaglia's MWC algorithm.
- static uint32_t hi = 0;
- static uint32_t lo = 0;
-
+typedef struct {
+ uint32_t hi;
+ uint32_t lo;
+} random_state;
+
+
+// Random number generator using George Marsaglia's MWC algorithm.
+static uint32_t random_base(random_state *state) {
// Initialize seed using the system random(). If one of the seeds
// should ever become zero again, or if random() returns zero, we
// avoid getting stuck with zero bits in hi or lo by re-initializing
// them on demand.
- if (hi == 0) hi = random_seed();
- if (lo == 0) lo = random_seed();
+ if (state->hi == 0) state->hi = random_seed();
+ if (state->lo == 0) state->lo = random_seed();
// Mix the bits.
- hi = 36969 * (hi & 0xFFFF) + (hi >> 16);
- lo = 18273 * (lo & 0xFFFF) + (lo >> 16);
- return (hi << 16) + (lo & 0xFFFF);
+ state->hi = 36969 * (state->hi & 0xFFFF) + (state->hi >> 16);
+ state->lo = 18273 * (state->lo & 0xFFFF) + (state->lo >> 16);
+ return (state->hi << 16) + (state->lo & 0xFFFF);
+}
+
+
+// Used by JavaScript APIs
+uint32_t V8::Random() {
+ static random_state state = {0, 0};
+ return random_base(&state);
+}
+
+
+// Used internally by the JIT and memory allocator for security
+// purposes. So, we keep a different state to prevent informations
+// leaks that could be used in an exploit.
+uint32_t V8::RandomPrivate() {
+ static random_state state = {0, 0};
+ return random_base(&state);
}
=======================================
--- /branches/bleeding_edge/src/v8.h Mon Nov 15 05:23:30 2010
+++ /branches/bleeding_edge/src/v8.h Thu Nov 18 00:23:49 2010
@@ -94,6 +94,11 @@
// Random number generation support. Not cryptographically safe.
static uint32_t Random();
+ // We use random numbers internally in memory allocation and in the
+ // compilers for security. In order to prevent information leaks we
+ // use a separate random state for internal random number
+ // generation.
+ static uint32_t RandomPrivate();
static Object* FillHeapNumberWithRandom(Object* heap_number);
// Idle notification directly from the API.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
