[webkit-changes] [224811] trunk/Source/bmalloc

[sbarati]

Title: [224811] trunk/Source/bmalloc

Revision

224811

Author

sbar...@apple.com

Date

2017-11-14 01:08:06 -0800 (Tue, 14 Nov 2017)

Log Message

Make the gigacage runway 32GB
https://bugs.webkit.org/show_bug.cgi?id=175062

Reviewed by Mark Lam.

Making the gigacage runway 32GB defends us against buffer overflows in the
cage reaching memory outside the cage assuming indices are 32-bit unsigned
integers and the type they're indexing into has size <= 8 bytes. This is
exactly the case for many things in JSC. For example, butterfly access in
JSC meet this criteria, as does typed array access.

The 32GB comes from 8 * 2^32 = 32GB.

* bmalloc/Gigacage.cpp:

Modified Paths

• trunk/Source/bmalloc/ChangeLog
• trunk/Source/bmalloc/bmalloc/Gigacage.cpp

Diff

Modified: trunk/Source/bmalloc/ChangeLog (224810 => 224811)

--- trunk/Source/bmalloc/ChangeLog	2017-11-14 09:05:33 UTC (rev 224810)
+++ trunk/Source/bmalloc/ChangeLog	2017-11-14 09:08:06 UTC (rev 224811)
@@ -1,3 +1,20 @@
+2017-11-14  Saam Barati  <sbar...@apple.com>
+
+        Make the gigacage runway 32GB
+        https://bugs.webkit.org/show_bug.cgi?id=175062
+
+        Reviewed by Mark Lam.
+
+        Making the gigacage runway 32GB defends us against buffer overflows in the
+        cage reaching memory outside the cage assuming indices are 32-bit unsigned
+        integers and the type they're indexing into has size <= 8 bytes. This is
+        exactly the case for many things in JSC. For example, butterfly access in
+        JSC meet this criteria, as does typed array access.
+        
+        The 32GB comes from 8 * 2^32 = 32GB.
+
+        * bmalloc/Gigacage.cpp:
+
 2017-11-08  Michael Catanzaro  <mcatanz...@igalia.com>
 
         Gigacage.cpp:44:46: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]

Modified: trunk/Source/bmalloc/bmalloc/Gigacage.cpp (224810 => 224811)

--- trunk/Source/bmalloc/bmalloc/Gigacage.cpp	2017-11-14 09:05:33 UTC (rev 224810)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.cpp	2017-11-14 09:08:06 UTC (rev 224811)
@@ -39,9 +39,7 @@
 // https://bugs.webkit.org/show_bug.cgi?id=177605
 #define GIGACAGE_RUNWAY 0
 #else
-// FIXME: Consider making this 32GB, in case unsigned 32-bit indices find their way into indexed accesses.
-// https://bugs.webkit.org/show_bug.cgi?id=175062
-#define GIGACAGE_RUNWAY (16llu * 1024 * 1024 * 1024)
+#define GIGACAGE_RUNWAY (32llu * 1024 * 1024 * 1024)
 #endif
 
 char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE] __attribute__((aligned(GIGACAGE_BASE_PTRS_SIZE)));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes