Bug 212847 - Make CodeBlockHash robust against unreasonably long source code.
Summary: Make CodeBlockHash robust against unreasonably long source code.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-05 14:15 PDT by Mark Lam
Modified: 2020-06-06 07:11 PDT (History)
6 users (show)

See Also:

Attachments
proposed patch. (3.35 KB, patch)
2020-06-05 14:29 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
proposed patch. (4.14 KB, patch)
2020-06-05 15:03 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
proposed patch. (3.56 KB, patch)
2020-06-05 15:48 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-06-05 14:15:20 PDT 
<rdar://problem/64024279>
Comment 1 Mark Lam 2020-06-05 14:29:09 PDT 
Created attachment 401200 [details]
proposed patch.
Comment 2 Saam Barati 2020-06-05 14:34:18 PDT 
Comment on attachment 401200 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51
> +    constexpr int maxSourceCodeLengthToHash = 500 * MB;

should be size_t

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59
> +        m_hash = sourceCode.length() ^ 0x2d5a93d0;

could you alternatively just sample 500mb of the source code?
Comment 3 Mark Lam 2020-06-05 15:02:52 PDT 
Comment on attachment 401200 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51
>> +    constexpr int maxSourceCodeLengthToHash = 500 * MB;
> 
> should be size_t

Sadly, sourceCode.length() is an int, which is what made this an int.  But I'll be changing this anyway.

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59
>> +        m_hash = sourceCode.length() ^ 0x2d5a93d0;
> 
> could you alternatively just sample 500mb of the source code?

Will do.
Comment 4 Mark Lam 2020-06-05 15:03:22 PDT 
Created attachment 401204 [details]
proposed patch.
Comment 5 Mark Lam 2020-06-05 15:48:34 PDT 
Created attachment 401210 [details]
proposed patch.
Comment 6 Saam Barati 2020-06-05 16:06:01 PDT 
Comment on attachment 401210 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review

> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67
> +            UChar character = str[index];

what guarantees this doesn't read OOB?

Why not just make this look at 500*MB characters? Seems more straight forward than this.
Comment 7 Mark Lam 2020-06-05 16:17:32 PDT 
Comment on attachment 401210 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review

>> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67
>> +            UChar character = str[index];
> 
> what guarantees this doesn't read OOB?
> 
> Why not just make this look at 500*MB characters? Seems more straight forward than this.

Spoke with Saam offline.  Just to make it clear for others, index is guaranteed to be < length, and we're using StringView::length() and StringView::operator[] here.  There's no risk of overflow.  The initial index is always 0, and we know length > 500 MB.  So, no overflow there either.
Comment 8 Mark Lam 2020-06-06 07:09:20 PDT 
Comment on attachment 401210 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 9 EWS 2020-06-06 07:11:52 PDT 
Committed r262677: <https://trac.webkit.org/changeset/262677>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 401210 [details].