Title: [143811] trunk/Source/WebCore
- Revision
- 143811
- Author
- [email protected]
- Date
- 2013-02-22 15:37:20 -0800 (Fri, 22 Feb 2013)
Log Message
RenderArena masking has low entropy
https://bugs.webkit.org/show_bug.cgi?id=110394
Reviewed by Oliver Hunt.
No new tests. This is a hardening measure.
* rendering/RenderArena.cpp:
(WebCore::RenderArena::RenderArena):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (143810 => 143811)
--- trunk/Source/WebCore/ChangeLog 2013-02-22 23:28:06 UTC (rev 143810)
+++ trunk/Source/WebCore/ChangeLog 2013-02-22 23:37:20 UTC (rev 143811)
@@ -1,3 +1,15 @@
+2013-02-22 Justin Schuh <[email protected]>
+
+ RenderArena masking has low entropy
+ https://bugs.webkit.org/show_bug.cgi?id=110394
+
+ Reviewed by Oliver Hunt.
+
+ No new tests. This is a hardening measure.
+
+ * rendering/RenderArena.cpp:
+ (WebCore::RenderArena::RenderArena):
+
2013-02-22 Min Qin <[email protected]>
Fix the overlay play button position on android
Modified: trunk/Source/WebCore/rendering/RenderArena.cpp (143810 => 143811)
--- trunk/Source/WebCore/rendering/RenderArena.cpp 2013-02-22 23:28:06 UTC (rev 143810)
+++ trunk/Source/WebCore/rendering/RenderArena.cpp 2013-02-22 23:37:20 UTC (rev 143811)
@@ -36,9 +36,11 @@
#include "config.h"
#include "RenderArena.h"
+#include <limits>
#include <stdlib.h>
#include <string.h>
#include <wtf/Assertions.h>
+#include <wtf/CryptographicallyRandomNumber.h>
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
@@ -89,10 +91,8 @@
// should immediately crash on the first invalid vtable access for a stale
// RenderObject pointer.
// See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
-
- // The bottom bits are predictable because the binary is loaded on a
- // boundary. This just shifts most of those predictable bits out.
- m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
+ WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
+ m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::digits - 2)) | 1;
}
RenderArena::~RenderArena()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
