Title: [224555] trunk/Source/bmalloc
- Revision
- 224555
- Author
- [email protected]
- Date
- 2017-11-07 15:31:22 -0800 (Tue, 07 Nov 2017)
Log Message
We should PROT_NONE the Gigacage runway so OOB accesses crash
https://bugs.webkit.org/show_bug.cgi?id=179392
Reviewed by Mark Lam.
If we assume that an attacker will exploit JSC and cause OOB accesses,
we should make OOB accesses in the Gigacage runway crash.
* bmalloc/Gigacage.cpp:
(Gigacage::ensureGigacage):
Modified Paths
Diff
Modified: trunk/Source/bmalloc/ChangeLog (224554 => 224555)
--- trunk/Source/bmalloc/ChangeLog 2017-11-07 23:21:38 UTC (rev 224554)
+++ trunk/Source/bmalloc/ChangeLog 2017-11-07 23:31:22 UTC (rev 224555)
@@ -1,3 +1,16 @@
+2017-11-07 Saam Barati <[email protected]>
+
+ We should PROT_NONE the Gigacage runway so OOB accesses crash
+ https://bugs.webkit.org/show_bug.cgi?id=179392
+
+ Reviewed by Mark Lam.
+
+ If we assume that an attacker will exploit JSC and cause OOB accesses,
+ we should make OOB accesses in the Gigacage runway crash.
+
+ * bmalloc/Gigacage.cpp:
+ (Gigacage::ensureGigacage):
+
2017-10-31 Filip Pizlo <[email protected]>
bmalloc should support strictly type-segregated isolated heaps
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.cpp (224554 => 224555)
--- trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2017-11-07 23:21:38 UTC (rev 224554)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2017-11-07 23:31:22 UTC (rev 224555)
@@ -155,6 +155,13 @@
fprintf(stderr, "FATAL: Could not allocate gigacage memory with maxAlignment = %lu, totalSize = %lu.\n", maxAlignment, totalSize);
BCRASH();
}
+
+ if (GIGACAGE_RUNWAY) {
+ char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
+ // Make OOB accesses into the runway crash.
+ vmRevokePermissions(runway, GIGACAGE_RUNWAY);
+ }
+
vmDeallocatePhysicalPages(base, totalSize);
size_t nextCage = 0;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
