Gigacage runway should immediately follow the primitive cage
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Dec 2018 03:05:59 +0000 (03:05 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Dec 2018 03:05:59 +0000 (03:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192733

Reviewed by Saam Barati.

This patch makes sure that the Gigacage runway is always
immediately after the primitive cage. Since writing outside the
primitive gigacage is likely to be more dangerous than the JSValue
cage. The ordering of the cages is still random however.

* bmalloc/Gigacage.cpp:
(Gigacage::ensureGigacage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239245 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/Gigacage.cpp

index dceb4fb..95d2a4f 100644 (file)
@@ -1,3 +1,18 @@
+2018-12-14  Keith Miller  <keith_miller@apple.com>
+
+        Gigacage runway should immediately follow the primitive cage
+        https://bugs.webkit.org/show_bug.cgi?id=192733
+
+        Reviewed by Saam Barati.
+
+        This patch makes sure that the Gigacage runway is always
+        immediately after the primitive cage. Since writing outside the
+        primitive gigacage is likely to be more dangerous than the JSValue
+        cage. The ordering of the cages is still random however.
+
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::ensureGigacage):
+
 2018-12-13  Mark Lam  <mark.lam@apple.com>
 
         Verify that tryLargeZeroedMemalignVirtual()'s aligned size and alignment values are valid.
index 4813fe8..3ca3434 100644 (file)
@@ -99,6 +99,18 @@ struct PrimitiveDisableCallbacks {
     Vector<Callback> callbacks;
 };
 
+#if GIGACAGE_ENABLED
+size_t runwaySize(Kind kind)
+{
+    switch (kind) {
+    case Kind::Primitive:
+        return static_cast<size_t>(GIGACAGE_RUNWAY);
+    case Kind::JSValue:
+        return static_cast<size_t>(0);
+    }
+}
+#endif
+
 } // anonymous namespace
 
 void ensureGigacage()
@@ -140,10 +152,10 @@ void ensureGigacage()
             
             for (Kind kind : shuffledKinds) {
                 totalSize = bump(kind, alignTo(kind, totalSize));
+                totalSize += runwaySize(kind);
                 maxAlignment = std::max(maxAlignment, alignment(kind));
             }
-            totalSize += GIGACAGE_RUNWAY;
-            
+
             // FIXME: Randomize where this goes.
             // https://bugs.webkit.org/show_bug.cgi?id=175245
             void* base = tryVMAllocate(maxAlignment, totalSize);
@@ -155,21 +167,20 @@ void ensureGigacage()
                 BCRASH();
             }
 
-            if (GIGACAGE_RUNWAY > 0) {
-                char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
-                // Make OOB accesses into the runway crash.
-                vmRevokePermissions(runway, GIGACAGE_RUNWAY);
-            }
-
-            vmDeallocatePhysicalPages(base, totalSize);
-            
             size_t nextCage = 0;
             for (Kind kind : shuffledKinds) {
                 nextCage = alignTo(kind, nextCage);
                 basePtr(kind) = reinterpret_cast<char*>(base) + nextCage;
                 nextCage = bump(kind, nextCage);
+                if (runwaySize(kind) > 0) {
+                    char* runway = reinterpret_cast<char*>(base) + nextCage;
+                    // Make OOB accesses into the runway crash.
+                    vmRevokePermissions(runway, runwaySize(kind));
+                    nextCage += runwaySize(kind);
+                }
             }
             
+            vmDeallocatePhysicalPages(base, totalSize);
             protectGigacageBasePtrs();
             g_wasEnabled = true;
         });