Title: [239245] trunk/Source/bmalloc
- Revision
- 239245
- Author
- [email protected]
- Date
- 2018-12-14 19:05:59 -0800 (Fri, 14 Dec 2018)
Log Message
Gigacage runway should immediately follow the primitive cage
https://bugs.webkit.org/show_bug.cgi?id=192733
Reviewed by Saam Barati.
This patch makes sure that the Gigacage runway is always
immediately after the primitive cage. Since writing outside the
primitive gigacage is likely to be more dangerous than the JSValue
cage. The ordering of the cages is still random however.
* bmalloc/Gigacage.cpp:
(Gigacage::ensureGigacage):
Modified Paths
Diff
Modified: trunk/Source/bmalloc/ChangeLog (239244 => 239245)
--- trunk/Source/bmalloc/ChangeLog 2018-12-15 02:28:17 UTC (rev 239244)
+++ trunk/Source/bmalloc/ChangeLog 2018-12-15 03:05:59 UTC (rev 239245)
@@ -1,3 +1,18 @@
+2018-12-14 Keith Miller <[email protected]>
+
+ Gigacage runway should immediately follow the primitive cage
+ https://bugs.webkit.org/show_bug.cgi?id=192733
+
+ Reviewed by Saam Barati.
+
+ This patch makes sure that the Gigacage runway is always
+ immediately after the primitive cage. Since writing outside the
+ primitive gigacage is likely to be more dangerous than the JSValue
+ cage. The ordering of the cages is still random however.
+
+ * bmalloc/Gigacage.cpp:
+ (Gigacage::ensureGigacage):
+
2018-12-13 Mark Lam <[email protected]>
Verify that tryLargeZeroedMemalignVirtual()'s aligned size and alignment values are valid.
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.cpp (239244 => 239245)
--- trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2018-12-15 02:28:17 UTC (rev 239244)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2018-12-15 03:05:59 UTC (rev 239245)
@@ -99,6 +99,18 @@
Vector<Callback> callbacks;
};
+#if GIGACAGE_ENABLED
+size_t runwaySize(Kind kind)
+{
+ switch (kind) {
+ case Kind::Primitive:
+ return static_cast<size_t>(GIGACAGE_RUNWAY);
+ case Kind::JSValue:
+ return static_cast<size_t>(0);
+ }
+}
+#endif
+
} // anonymous namespace
void ensureGigacage()
@@ -140,10 +152,10 @@
for (Kind kind : shuffledKinds) {
totalSize = bump(kind, alignTo(kind, totalSize));
+ totalSize += runwaySize(kind);
maxAlignment = std::max(maxAlignment, alignment(kind));
}
- totalSize += GIGACAGE_RUNWAY;
-
+
// FIXME: Randomize where this goes.
// https://bugs.webkit.org/show_bug.cgi?id=175245
void* base = tryVMAllocate(maxAlignment, totalSize);
@@ -155,21 +167,20 @@
BCRASH();
}
- if (GIGACAGE_RUNWAY > 0) {
- char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
- // Make OOB accesses into the runway crash.
- vmRevokePermissions(runway, GIGACAGE_RUNWAY);
- }
-
- vmDeallocatePhysicalPages(base, totalSize);
-
size_t nextCage = 0;
for (Kind kind : shuffledKinds) {
nextCage = alignTo(kind, nextCage);
basePtr(kind) = reinterpret_cast<char*>(base) + nextCage;
nextCage = bump(kind, nextCage);
+ if (runwaySize(kind) > 0) {
+ char* runway = reinterpret_cast<char*>(base) + nextCage;
+ // Make OOB accesses into the runway crash.
+ vmRevokePermissions(runway, runwaySize(kind));
+ nextCage += runwaySize(kind);
+ }
}
+ vmDeallocatePhysicalPages(base, totalSize);
protectGigacageBasePtrs();
g_wasEnabled = true;
});
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
