Bug 212847

Summary: Make CodeBlockHash robust against unreasonably long source code.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
none
proposed patch.
none
proposed patch. none

Description Mark Lam 2020-06-05 14:15:20 PDT 
<rdar://problem/64024279>
Comment 1 Mark Lam 2020-06-05 14:29:09 PDT 
Created attachment 401200 [details]
proposed patch.
Comment 2 Saam Barati 2020-06-05 14:34:18 PDT 
Comment on attachment 401200 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51
> +    constexpr int maxSourceCodeLengthToHash = 500 * MB;

should be size_t

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59
> +        m_hash = sourceCode.length() ^ 0x2d5a93d0;

could you alternatively just sample 500mb of the source code?
Comment 3 Mark Lam 2020-06-05 15:02:52 PDT 
Comment on attachment 401200 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51
>> +    constexpr int maxSourceCodeLengthToHash = 500 * MB;
> 
> should be size_t

Sadly, sourceCode.length() is an int, which is what made this an int.  But I'll be changing this anyway.

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59
>> +        m_hash = sourceCode.length() ^ 0x2d5a93d0;
> 
> could you alternatively just sample 500mb of the source code?

Will do.
Comment 4 Mark Lam 2020-06-05 15:03:22 PDT 
Created attachment 401204 [details]
proposed patch.
Comment 5 Mark Lam 2020-06-05 15:48:34 PDT 
Created attachment 401210 [details]
proposed patch.
Comment 6 Saam Barati 2020-06-05 16:06:01 PDT 
Comment on attachment 401210 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67
> +            UChar character = str[index];

what guarantees this doesn't read OOB?

Why not just make this look at 500*MB characters? Seems more straight forward than this.
Comment 7 Mark Lam 2020-06-05 16:17:32 PDT 
Comment on attachment 401210 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67
>> +            UChar character = str[index];
> 
> what guarantees this doesn't read OOB?
> 
> Why not just make this look at 500*MB characters? Seems more straight forward than this.

Spoke with Saam offline.  Just to make it clear for others, index is guaranteed to be < length, and we're using StringView::length() and StringView::operator[] here.  There's no risk of overflow.  The initial index is always 0, and we know length > 500 MB.  So, no overflow there either.
Comment 8 Mark Lam 2020-06-06 07:09:20 PDT 
Comment on attachment 401210 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 9 EWS 2020-06-06 07:11:52 PDT 
Committed r262677: <https://trac.webkit.org/changeset/262677>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 401210 [details].