[webkit-changes] [WebKit/WebKit] 0db3ed: [Wasm] WasmToJSCallee should hold the boxed as a m...

Wed, 08 Jan 2025 15:29:03 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0db3edf9d8018f0a58765d9e27c625739102f04d
      
https://github.com/WebKit/WebKit/commit/0db3edf9d8018f0a58765d9e27c625739102f04d
  Author: Keith Miller <[email protected]>
  Date:   2025-01-08 (Wed, 08 Jan 2025)

  Changed paths:
    A JSTests/wasm/stress/table-set-to-js-then-grow.js
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmTable.cpp
    M Source/JavaScriptCore/wasm/WasmTable.h

  Log Message:
  -----------
  [Wasm] WasmToJSCallee should hold the boxed as a member for Function Tables
https://bugs.webkit.org/show_bug.cgi?id=285626
rdar://142475225

Reviewed by Yusuke Suzuki and Justin Michaud.

Right now we're using the table's backing store as the boxed callee load 
location. Tables can grow though
so that address could get realloced and thus be stale leading to a UAF. This 
patch puts the boxed load
location into the WasmToJSCallee instead. This doesn't increase the effective 
size of WasmToJSCalle as it's
40 bytes today so there's an extra 8 bytes from our malloc's atom size.

* JSTests/wasm/stress/table-set-to-js-then-grow.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.type.ri.func.result.i32.import.string_appeared_here.string_appeared_here.func.foo.result.i32.export.string_appeared_here.func.foo.table.table.0.funcref.func.export.string_appeared_here.param.funcref.result.i32.table.grow.table.ref.null.func.i32.const.1.drop.table.table.i32.const.0.local.0.table.grow.table.ref.null.func.i32.const.10.drop.call_indirect.table.type.ri.i32.const.0.foo):
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::WasmToJSCallee::WasmToJSCallee):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmTable.cpp:
(JSC::Wasm::FuncRefTable::setFunction):
* Source/JavaScriptCore/wasm/WasmTable.h:

Canonical link: https://commits.webkit.org/288618@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to