Title: [239956] releases/WebKitGTK/webkit-2.22/Source/bmalloc
- Revision
- 239956
- Author
- [email protected]
- Date
- 2019-01-14 15:24:19 -0800 (Mon, 14 Jan 2019)
Log Message
Merge r239245 - Gigacage runway should immediately follow the primitive cage
https://bugs.webkit.org/show_bug.cgi?id=192733
Reviewed by Saam Barati.
This patch makes sure that the Gigacage runway is always
immediately after the primitive cage. Since writing outside the
primitive gigacage is likely to be more dangerous than the JSValue
cage. The ordering of the cages is still random however.
* bmalloc/Gigacage.cpp:
(Gigacage::ensureGigacage):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/bmalloc/ChangeLog (239955 => 239956)
--- releases/WebKitGTK/webkit-2.22/Source/bmalloc/ChangeLog 2019-01-14 23:22:46 UTC (rev 239955)
+++ releases/WebKitGTK/webkit-2.22/Source/bmalloc/ChangeLog 2019-01-14 23:24:19 UTC (rev 239956)
@@ -1,3 +1,18 @@
+2018-12-14 Keith Miller <[email protected]>
+
+ Gigacage runway should immediately follow the primitive cage
+ https://bugs.webkit.org/show_bug.cgi?id=192733
+
+ Reviewed by Saam Barati.
+
+ This patch makes sure that the Gigacage runway is always
+ immediately after the primitive cage. Since writing outside the
+ primitive gigacage is likely to be more dangerous than the JSValue
+ cage. The ordering of the cages is still random however.
+
+ * bmalloc/Gigacage.cpp:
+ (Gigacage::ensureGigacage):
+
2018-08-16 Tomas Popela <[email protected]>
bmalloc: Coverity scan issues
Modified: releases/WebKitGTK/webkit-2.22/Source/bmalloc/bmalloc/Gigacage.cpp (239955 => 239956)
--- releases/WebKitGTK/webkit-2.22/Source/bmalloc/bmalloc/Gigacage.cpp 2019-01-14 23:22:46 UTC (rev 239955)
+++ releases/WebKitGTK/webkit-2.22/Source/bmalloc/bmalloc/Gigacage.cpp 2019-01-14 23:24:19 UTC (rev 239956)
@@ -99,6 +99,19 @@
Vector<Callback> callbacks;
};
+#if GIGACAGE_ENABLED
+size_t runwaySize(Kind kind)
+{
+ switch (kind) {
+ case Kind::Primitive:
+ return static_cast<size_t>(GIGACAGE_RUNWAY);
+ case Kind::JSValue:
+ return static_cast<size_t>(0);
+ }
+ return static_cast<size_t>(0);
+}
+#endif
+
} // anonymous namespace
void ensureGigacage()
@@ -140,10 +153,10 @@
for (Kind kind : shuffledKinds) {
totalSize = bump(kind, alignTo(kind, totalSize));
+ totalSize += runwaySize(kind);
maxAlignment = std::max(maxAlignment, alignment(kind));
}
- totalSize += GIGACAGE_RUNWAY;
-
+
// FIXME: Randomize where this goes.
// https://bugs.webkit.org/show_bug.cgi?id=175245
void* base = tryVMAllocate(maxAlignment, totalSize);
@@ -155,21 +168,20 @@
BCRASH();
}
- if (GIGACAGE_RUNWAY > 0) {
- char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
- // Make OOB accesses into the runway crash.
- vmRevokePermissions(runway, GIGACAGE_RUNWAY);
- }
-
- vmDeallocatePhysicalPages(base, totalSize);
-
size_t nextCage = 0;
for (Kind kind : shuffledKinds) {
nextCage = alignTo(kind, nextCage);
basePtr(kind) = reinterpret_cast<char*>(base) + nextCage;
nextCage = bump(kind, nextCage);
+ if (runwaySize(kind) > 0) {
+ char* runway = reinterpret_cast<char*>(base) + nextCage;
+ // Make OOB accesses into the runway crash.
+ vmRevokePermissions(runway, runwaySize(kind));
+ nextCage += runwaySize(kind);
+ }
}
+ vmDeallocatePhysicalPages(base, totalSize);
protectGigacageBasePtrs();
g_wasEnabled = true;
});
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
