[webkit-changes] [229366] trunk/Source/JavaScriptCore

[fpizlo]

Title: [229366] trunk/Source/_javascript_Core

Revision

229366

Author

fpi...@apple.com

Date

2018-03-07 10:14:02 -0800 (Wed, 07 Mar 2018)

Log Message

MarkedArgumentsBuffer should allocate from the JSValue Gigacage
https://bugs.webkit.org/show_bug.cgi?id=183377

Reviewed by Michael Saboff.
        
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.

* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArgList.cpp
• trunk/Source/_javascript_Core/runtime/ArgList.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (229365 => 229366)

--- trunk/Source/_javascript_Core/ChangeLog	2018-03-07 18:09:43 UTC (rev 229365)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-03-07 18:14:02 UTC (rev 229366)
@@ -1,3 +1,15 @@
+2018-03-06  Filip Pizlo  <fpi...@apple.com>
+
+        MarkedArgumentsBuffer should allocate from the JSValue Gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=183377
+
+        Reviewed by Michael Saboff.
+        
+        That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
+
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+
 2018-03-07  Mark Lam  <mark....@apple.com>
 
         Add support for ARM64E.

Modified: trunk/Source/_javascript_Core/runtime/ArgList.cpp (229365 => 229366)

--- trunk/Source/_javascript_Core/runtime/ArgList.cpp	2018-03-07 18:09:43 UTC (rev 229365)
+++ trunk/Source/_javascript_Core/runtime/ArgList.cpp	2018-03-07 18:14:02 UTC (rev 229366)
@@ -88,7 +88,7 @@
     auto checkedSize = Checked<size_t, RecordOverflow>(newCapacity) * sizeof(EncodedJSValue);
     if (UNLIKELY(checkedSize.hasOverflowed()))
         return this->overflowed();
-    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(checkedSize.unsafeGet()));
+    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::malloc(Gigacage::JSValue, checkedSize.unsafeGet()));
     for (int i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];
         addMarkSet(JSValue::decode(m_buffer[i]));
@@ -95,7 +95,7 @@
     }
 
     if (EncodedJSValue* base = mallocBase())
-        fastFree(base);
+        Gigacage::free(Gigacage::JSValue, base);
 
     m_buffer = newBuffer;
     m_capacity = newCapacity;

Modified: trunk/Source/_javascript_Core/runtime/ArgList.h (229365 => 229366)

--- trunk/Source/_javascript_Core/runtime/ArgList.h	2018-03-07 18:09:43 UTC (rev 229365)
+++ trunk/Source/_javascript_Core/runtime/ArgList.h	2018-03-07 18:14:02 UTC (rev 229366)
@@ -57,7 +57,7 @@
             m_markSet->remove(this);
 
         if (EncodedJSValue* base = mallocBase())
-            fastFree(base);
+            Gigacage::free(Gigacage::JSValue, base);
     }
 
     size_t size() const { return m_size; }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes