WebKit Bugzilla
Attachment 357370 Details for
Bug 192733
: Gigacage runway should immediately follow the primitive cage
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192733-20181214181641.patch (text/plain), 3.27 KB, created by
Keith Miller
on 2018-12-14 18:16:43 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-12-14 18:16:43 PST
Size:
3.27 KB
patch
obsolete
>Subversion Revision: 239236 >diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog >index dceb4fb0678cd784439007a9ef028c2b42281d86..0e6c2e7def77185091b7f920ef0981aeb024d17e 100644 >--- a/Source/bmalloc/ChangeLog >+++ b/Source/bmalloc/ChangeLog >@@ -1,3 +1,18 @@ >+2018-12-14 Keith Miller <keith_miller@apple.com> >+ >+ Gigacage runway should immediately follow the primitive cage >+ https://bugs.webkit.org/show_bug.cgi?id=192733 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This patch makes sure that the Gigacage runway is always >+ immediately after the primitive cage. Since writing outside the >+ primitive gigacage is likely to be more dangerous than the JSValue >+ cage. The ordering of the cages is still random however. >+ >+ * bmalloc/Gigacage.cpp: >+ (Gigacage::ensureGigacage): >+ > 2018-12-13 Mark Lam <mark.lam@apple.com> > > Verify that tryLargeZeroedMemalignVirtual()'s aligned size and alignment values are valid. >diff --git a/Source/bmalloc/bmalloc/Gigacage.cpp b/Source/bmalloc/bmalloc/Gigacage.cpp >index 4813fe85d8cc7af4fe25f214ebbf852c748cc21a..7beae6ac524e25688b2c099f3f6def6a40d7f450 100644 >--- a/Source/bmalloc/bmalloc/Gigacage.cpp >+++ b/Source/bmalloc/bmalloc/Gigacage.cpp >@@ -99,6 +99,16 @@ struct PrimitiveDisableCallbacks { > Vector<Callback> callbacks; > }; > >+size_t runwaySize(Kind kind) >+{ >+ switch (kind) { >+ case Kind::Primitive: >+ return static_cast<size_t>(GIGACAGE_RUNWAY); >+ case Kind::JSValue: >+ return static_cast<size_t>(0); >+ } >+} >+ > } // anonymous namespace > > void ensureGigacage() >@@ -140,10 +150,10 @@ void ensureGigacage() > > for (Kind kind : shuffledKinds) { > totalSize = bump(kind, alignTo(kind, totalSize)); >+ totalSize += runwaySize(kind); > maxAlignment = std::max(maxAlignment, alignment(kind)); > } >- totalSize += GIGACAGE_RUNWAY; >- >+ > // FIXME: Randomize where this goes. > // https://bugs.webkit.org/show_bug.cgi?id=175245 > void* base = tryVMAllocate(maxAlignment, totalSize); >@@ -155,21 +165,20 @@ void ensureGigacage() > BCRASH(); > } > >- if (GIGACAGE_RUNWAY > 0) { >- char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY; >- // Make OOB accesses into the runway crash. >- vmRevokePermissions(runway, GIGACAGE_RUNWAY); >- } >- >- vmDeallocatePhysicalPages(base, totalSize); >- > size_t nextCage = 0; > for (Kind kind : shuffledKinds) { > nextCage = alignTo(kind, nextCage); > basePtr(kind) = reinterpret_cast<char*>(base) + nextCage; > nextCage = bump(kind, nextCage); >+ if (runwaySize(kind) > 0) { >+ char* runway = reinterpret_cast<char*>(base) + nextCage; >+ // Make OOB accesses into the runway crash. >+ vmRevokePermissions(runway, runwaySize(kind)); >+ nextCage += runwaySize(kind); >+ } > } > >+ vmDeallocatePhysicalPages(base, totalSize); > protectGigacageBasePtrs(); > g_wasEnabled = true; > });
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357370">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192733
:
357370
|
357372