Bug 181636 - Put some distance between objects from different origins and between objects that have different poisoning rules
Summary: Put some distance between objects from different origins and between objects ...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on: 181559 182217 182220 182226 182227 182843
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-14 09:57 PST by Filip Pizlo
Modified: 2018-02-15 15:15 PST (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2018-01-14 09:57:28 PST
Patch forthcoming.
Comment 1 Filip Pizlo 2018-01-14 10:01:37 PST
The idea is that both HeapCellTypes and ThreadLocalCaches will be able to support a security token for allocation.  The LocalAllocator will only select a MarkedBlock for allocation of that MarkedBlock's security tokens match the ones requested by both HeapCellType and ThreadLocalCache.

Then we will move MarkedBlock's header to the end.  Note that MarkedBlock has a split header: part of the header is inline at the start of the MarkedBlock (these are the fields of MarkedBlock itself) and part of it is out-of-line (these are the fields of MarkedBlock::Handle). This is deliberate.  We can move any amount of MarkedBlock::Handle to the end of MarkedBlock.  We can move any amount of MarkedBlock itself to the end of the MarkedBlock allocation.  This creates between 128 and ~400 bytes of padding at the end.

Then we can make sure that LargeAllocation also leaves a similar amount of bytes of padding at the end.

This means that every bounds check is allowed to overflow by the MarkedBlock "footer" size.
Comment 2 Filip Pizlo 2018-01-14 10:07:18 PST
So, in this world, you'll be able to:

1. Specify that your data structs that you're using to hold all of your dangerous ints and unpoisoned pointers has a HeapCellType with a security token that differs from the security tokens of objects directly reachable by the user.

2. Give each JSGlobalObject its own ThreadLocalCache, give each one its own security token, and then context-switch ThreadLocalCaches when switching origins.