On Nov 14, 2012, at 10:05 PM, Ryosuke Niwa <[email protected]> wrote:
> On Wed, Nov 14, 2012 at 9:59 PM, Adam Barth <[email protected]> wrote: > > On Nov 14, 2012 8:59 PM, "Ryosuke Niwa" <[email protected]> wrote: > > > > On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <[email protected]> > > wrote: > >> > >> I was present for one of the discussions about the exploit and how an > >> arena like allocator could have helped at Google. One proposed solution > >> was to allocate all the JS typed buffers in an arena. > >> > >> Is there a reason we can't just do that? It's much less intrusive to > >> allocate ArrayBuffer in an arena than to allocate all DOM objects in one. > > > > > > I don’t think allocating all JS objects in an arena is good enough because > > attackers can inject nearly arbitrary sequence of bytes into DOM objects > > (e.g. text node). > > The text for a text node is stored in a String, not in the Node object itself. > > Yeah, I guess text node was not a good example. Now that I think about it, we > can probably get most of security benefits of using RenderArena for DOM if we > can allocate all strings & js objects from arena. Actual JS objects are already allocated on the GC heap instead of in the malloc heap. The question is where the underlying buffer for ArrayBuffer (and for String) goes. Regards, Maciej
_______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-dev
