[webkit-changes] [245622] trunk

[ysuzuki]

Title: [245622] trunk

Revision

245622

Author

ysuz...@apple.com

Date

2019-05-22 10:21:19 -0700 (Wed, 22 May 2019)

Log Message

[JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
https://bugs.webkit.org/show_bug.cgi?id=198101

Reviewed by Michael Saboff.

JSTests:

* stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
(shouldBe):

Source/_javascript_Core:

When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.

In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.

* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp

Added Paths

• trunk/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js

Diff

Modified: trunk/JSTests/ChangeLog (245621 => 245622)

--- trunk/JSTests/ChangeLog	2019-05-22 17:18:21 UTC (rev 245621)
+++ trunk/JSTests/ChangeLog	2019-05-22 17:21:19 UTC (rev 245622)
@@ -1,3 +1,13 @@
+2019-05-22  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+        https://bugs.webkit.org/show_bug.cgi?id=198101
+
+        Reviewed by Michael Saboff.
+
+        * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
+        (shouldBe):
+
 2019-05-20  Keith Miller  <keith_mil...@apple.com>
 
         Cleanup Yarr regexp code around paren contexts.

Added: trunk/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js (0 => 245622)

--- trunk/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js	                        (rev 0)
+++ trunk/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js	2019-05-22 17:21:19 UTC (rev 245622)
@@ -0,0 +1,9 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var typedArray = new Int8Array();
+shouldBe(typedArray.length, 0);
+var subarray = typedArray.subarray(0, 0);
+shouldBe(subarray.length, 0);

Modified: trunk/Source/_javascript_Core/ChangeLog (245621 => 245622)

--- trunk/Source/_javascript_Core/ChangeLog	2019-05-22 17:18:21 UTC (rev 245621)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-05-22 17:21:19 UTC (rev 245622)
@@ -1,3 +1,21 @@
+2019-05-22  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+        https://bugs.webkit.org/show_bug.cgi?id=198101
+
+        Reviewed by Michael Saboff.
+
+        When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
+        non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
+        sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
+        In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
+        pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
+
+        In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+
 2019-05-21  Ross Kirsling  <ross.kirsl...@sony.com>
 
         [PlayStation] Don't call fcntl.

Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (245621 => 245622)

--- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp	2019-05-22 17:18:21 UTC (rev 245621)
+++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp	2019-05-22 17:21:19 UTC (rev 245622)
@@ -106,12 +106,13 @@
             return;
         }
     }
-    size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
-    if (!size)
-        size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
+    size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
+    size_t allocationSize = sizeInBytes;
+    if (!allocationSize)
+        allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
 
-    void* data = "" numElements * elementByteSize);
-    m_data = DataType(data, size);
+    void* data = "" allocationSize);
+    m_data = DataType(data, sizeInBytes);
     if (!data) {
         reset();
         return;
@@ -118,9 +119,9 @@
     }
     
     if (policy == ZeroInitialize)
-        memset(data, 0, size);
+        memset(data, 0, allocationSize);
 
-    m_sizeInBytes = numElements * elementByteSize;
+    m_sizeInBytes = sizeInBytes;
     RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
     m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes