315126 – [libpas] Start of compact reservation should be preceded by a guard page

RESOLVED FIXED315126

[libpas] Start of compact reservation should be preceded by a guard page

https://bugs.webkit.org/show_bug.cgi?id=315126

Summary [libpas] Start of compact reservation should be preceded by a guard page

Marcus Plutowski

Reported 2026-05-19 15:04:43 PDT

rdar://177469163 The compact reservation in libpas is accessed through compact pointers. Due to how the bounds of the range are computed (offset by pas_compact_heap_reservation_guard_size) the first byte of compact memory is actually accessed via compact-pointer index 2. libpas will never give out indices 0 or 1. However, if someone does manage to zero out a compact pointer, then the resulting index points to the memory immediately-before the compact reservation. Unchecked accesses, such as through pas_segregated_directory_data_ptr_load_non_null, will consequently corrupt that memory, which very well may not even be owned by libpas, if it’s mapped. This is undesirable and should be fixed as a hardening measure. Adding a guard page will achieve this and convert any issues this may have been causing into crashes that we can detect.

Attachments
Add attachment proposed patch, testcase, etc.

Marcus Plutowski

Comment 1 2026-05-20 16:54:47 PDT

Pull request: https://github.com/WebKit/WebKit/pull/65344

EWS

Comment 2 2026-05-22 11:22:17 PDT

Committed 313747@main (ba26b5242151): <https://commits.webkit.org/313747@main> Reviewed commits have been landed. Closing PR #65344 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component bmalloc

Assignee

Nobody

Reported

2026-05-19 15:04 PDT

Modified

2026-05-22 11:22 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks