NEW 181636
Put some distance between objects from different origins and between objects that have different poisoning rules
https://bugs.webkit.org/show_bug.cgi?id=181636
Summary Put some distance between objects from different origins and between objects ...
Filip Pizlo
Reported 2018-01-14 09:57:28 PST
Patch forthcoming.
Attachments
Filip Pizlo
Comment 1 2018-01-14 10:01:37 PST
The idea is that both HeapCellTypes and ThreadLocalCaches will be able to support a security token for allocation. The LocalAllocator will only select a MarkedBlock for allocation of that MarkedBlock's security tokens match the ones requested by both HeapCellType and ThreadLocalCache. Then we will move MarkedBlock's header to the end. Note that MarkedBlock has a split header: part of the header is inline at the start of the MarkedBlock (these are the fields of MarkedBlock itself) and part of it is out-of-line (these are the fields of MarkedBlock::Handle). This is deliberate. We can move any amount of MarkedBlock::Handle to the end of MarkedBlock. We can move any amount of MarkedBlock itself to the end of the MarkedBlock allocation. This creates between 128 and ~400 bytes of padding at the end. Then we can make sure that LargeAllocation also leaves a similar amount of bytes of padding at the end. This means that every bounds check is allowed to overflow by the MarkedBlock "footer" size.
Filip Pizlo
Comment 2 2018-01-14 10:07:18 PST
So, in this world, you'll be able to: 1. Specify that your data structs that you're using to hold all of your dangerous ints and unpoisoned pointers has a HeapCellType with a security token that differs from the security tokens of objects directly reachable by the user. 2. Give each JSGlobalObject its own ThreadLocalCache, give each one its own security token, and then context-switch ThreadLocalCaches when switching origins.
Note You need to log in before you can comment on or make changes to this bug.