WebKit Bugzilla
Attachment 370390 Details for
Bug 198101
: [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198101-20190522024219.patch (text/plain), 4.36 KB, created by
Yusuke Suzuki
on 2019-05-22 02:42:20 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2019-05-22 02:42:20 PDT
Size:
4.36 KB
patch
obsolete
>Subversion Revision: 245613 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 1a77084e64e556f53a40130df0a827e0c22876bf..4bff47c7aa00a8d8253fb68fb288af7cb9e0b5b9 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,21 @@ >+2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes >+ https://bugs.webkit.org/show_bug.cgi?id=198101 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that >+ non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says >+ sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor. >+ In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this >+ pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer. >+ >+ In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer. >+ >+ * runtime/ArrayBuffer.cpp: >+ (JSC::ArrayBufferContents::tryAllocate): >+ > 2019-05-21 Ross Kirsling <ross.kirsling@sony.com> > > [PlayStation] Don't call fcntl. >diff --git a/Source/JavaScriptCore/runtime/ArrayBuffer.cpp b/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >index b16ec38f65b397da293c8ff7deecce4c1161a67e..671bdb77132fa69f1e14f75d3bd766bb614c8a6a 100644 >--- a/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >+++ b/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >@@ -106,21 +106,22 @@ void ArrayBufferContents::tryAllocate(unsigned numElements, unsigned elementByte > return; > } > } >- size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >- if (!size) >- size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. >+ size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >+ size_t allocationSize = sizeInBytes; >+ if (!allocationSize) >+ allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. > >- void* data = Gigacage::tryMalloc(Gigacage::Primitive, numElements * elementByteSize); >- m_data = DataType(data, size); >+ void* data = Gigacage::tryMalloc(Gigacage::Primitive, allocationSize); >+ m_data = DataType(data, sizeInBytes); > if (!data) { > reset(); > return; > } > > if (policy == ZeroInitialize) >- memset(data, 0, size); >+ memset(data, 0, allocationSize); > >- m_sizeInBytes = numElements * elementByteSize; >+ m_sizeInBytes = sizeInBytes; > RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); > m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); }; > } >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 4e4f88656ac84a3bc0bf726ebf35439d91e305ad..3e7b244bc7006c0e8d5e75afff07a5daa2f45b7b 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes >+ https://bugs.webkit.org/show_bug.cgi?id=198101 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added. >+ (shouldBe): >+ > 2019-05-20 Keith Miller <keith_miller@apple.com> > > Cleanup Yarr regexp code around paren contexts. >diff --git a/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js b/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5587d02062ce3417fbe117afba554b72b4025b73 >--- /dev/null >+++ b/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js >@@ -0,0 +1,9 @@ >+function shouldBe(actual, expected) { >+ if (actual !== expected) >+ throw new Error('bad value: ' + actual); >+} >+ >+var typedArray = new Int8Array(); >+shouldBe(typedArray.length, 0); >+var subarray = typedArray.subarray(0, 0); >+shouldBe(subarray.length, 0);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370390">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198101
:
370377
| 370390