Bug 315126
| Summary: | [libpas] Start of compact reservation should be preceded by a guard page | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Marcus Plutowski <marcus_plutowski> |
| Component: | bmalloc | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ggaren, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Marcus Plutowski
rdar://177469163
The compact reservation in libpas is accessed through compact pointers. Due to how the bounds of the range are computed (offset by pas_compact_heap_reservation_guard_size) the first byte of compact memory is actually accessed via compact-pointer index 2. libpas will never give out indices 0 or 1. However, if someone does manage to zero out a compact pointer, then the resulting index points to the memory immediately-before the compact reservation. Unchecked accesses, such as through pas_segregated_directory_data_ptr_load_non_null, will consequently corrupt that memory, which very well may not even be owned by libpas, if it’s mapped. This is undesirable and should be fixed as a hardening measure. Adding a guard page will achieve this and convert any issues this may have been causing into crashes that we can detect.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Marcus Plutowski
Pull request: https://github.com/WebKit/WebKit/pull/65344
EWS
Committed 313747@main (ba26b5242151): <https://commits.webkit.org/313747@main>
Reviewed commits have been landed. Closing PR #65344 and removing active labels.