[sandbox] Sandboxify WasmInstanceObject::memory_start

This field points to the start of the WASM memory buffer for the instance, which is an ArrayBuffer and so guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1218005 Change-Id: I847aebf5c29fcf1ab1163809350204db5b685a10 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359630 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78805}
2021-12-29 19:27:09 +01:00 · 2021-12-29 19:27:09 +01:00 · 09784fa15e
commit 09784fa15e
parent 7437c69093
7 changed files with 34 additions and 3 deletions
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@ -3480,8 +3480,13 @@ void WasmGraphBuilder::InitInstanceCache(
    WasmInstanceCacheNodes* instance_cache) {

  // Load the memory start.
+#ifdef V8_SANDBOXED_POINTERS
+  instance_cache->mem_start =
+      LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::SandboxedPointer());
+#else
  instance_cache->mem_start =
      LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::UintPtr());
+#endif

  // Load the memory size.
  instance_cache->mem_size =
--- a/src/objects/object-macros.h
+++ b/src/objects/object-macros.h
@ -57,6 +57,10 @@

 #define DECL_INT32_ACCESSORS(name) DECL_PRIMITIVE_ACCESSORS(name, int32_t)

+#define DECL_SANDBOXED_POINTER_ACCESSORS(name, type) \
+  DECL_PRIMITIVE_GETTER(name, type)                  \
+  DECL_PRIMITIVE_SETTER(name, type)
+
 #define DECL_RELAXED_INT32_ACCESSORS(name)   \
  inline int32_t name(RelaxedLoadTag) const; \
  inline void set_##name(int32_t value, RelaxedStoreTag);
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@ -840,6 +840,9 @@ void LiftoffAssembler::MergeStackWith(CacheState& target, uint32_t arity,
        target.cached_mem_start, instance,
        ObjectAccess::ToTagged(WasmInstanceObject::kMemoryStartOffset),
        sizeof(size_t));
+#ifdef V8_SANDBOXED_POINTERS
+    DecodeSandboxedPointer(target.cached_mem_start);
+#endif
  }
 }

--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -2967,6 +2967,9 @@ class LiftoffCompiler {
      memory_start = __ GetUnusedRegister(kGpReg, pinned).gp();
      LOAD_INSTANCE_FIELD(memory_start, MemoryStart, kSystemPointerSize,
                          pinned);
+#ifdef V8_SANDBOXED_POINTERS
+      __ DecodeSandboxedPointer(memory_start);
+#endif
      __ cache_state()->SetMemStartCacheRegister(memory_start);
    }
    return memory_start;
@ -4545,6 +4548,9 @@ class LiftoffCompiler {
    uintptr_t offset = imm.offset;
    Register addr = pinned.set(__ GetUnusedRegister(kGpReg, pinned)).gp();
    LOAD_INSTANCE_FIELD(addr, MemoryStart, kSystemPointerSize, pinned);
+#ifdef V8_SANDBOXED_POINTERS
+    __ DecodeSandboxedPointer(addr);
+#endif
    __ emit_i32_add(addr, addr, index);
    pinned.clear(LiftoffRegister(index));
    LiftoffRegister new_value = pinned.set(__ PopToRegister(pinned));
--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@ -92,6 +92,18 @@ CAST_ACCESSOR(WasmInstanceObject)
    }                                                                         \
  }

+#define SANDBOXED_POINTER_ACCESSORS(holder, name, type, offset)      \
+  type holder::name() const {                                        \
+    PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this);      \
+    Address value = ReadSandboxedPointerField(offset, sandbox_base); \
+    return reinterpret_cast<type>(value);                            \
+  }                                                                  \
+  void holder::set_##name(type value) {                              \
+    PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this);      \
+    Address addr = reinterpret_cast<Address>(value);                 \
+    WriteSandboxedPointerField(offset, sandbox_base, addr);          \
+  }
+
 // WasmModuleObject
 wasm::NativeModule* WasmModuleObject::native_module() const {
  return managed_native_module().raw();
@ -188,7 +200,8 @@ bool WasmGlobalObject::SetFuncRef(Isolate* isolate, Handle<Object> value) {
 }

 // WasmInstanceObject
-PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_start, byte*, kMemoryStartOffset)
+SANDBOXED_POINTER_ACCESSORS(WasmInstanceObject, memory_start, byte*,
+                            kMemoryStartOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_size, size_t, kMemorySizeOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, isolate_root, Address,
                    kIsolateRootOffset)
--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@ -1177,7 +1177,7 @@ Handle<WasmInstanceObject> WasmInstanceObject::New(
      isolate->factory()->NewFixedArray(num_imported_functions);
  instance->set_imported_function_refs(*imported_function_refs);

-  instance->SetRawMemory(nullptr, 0);
+  instance->SetRawMemory(reinterpret_cast<byte*>(EmptyBackingStoreBuffer()), 0);
  instance->set_isolate_root(isolate->isolate_root());
  instance->set_stack_limit_address(
      isolate->stack_guard()->address_of_jslimit());
--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@ -335,7 +335,7 @@ class V8_EXPORT_PRIVATE WasmInstanceObject : public JSObject {
  DECL_OPTIONAL_ACCESSORS(wasm_internal_functions, FixedArray)
  DECL_ACCESSORS(managed_object_maps, FixedArray)
  DECL_ACCESSORS(feedback_vectors, FixedArray)
-  DECL_PRIMITIVE_ACCESSORS(memory_start, byte*)
+  DECL_SANDBOXED_POINTER_ACCESSORS(memory_start, byte*)
  DECL_PRIMITIVE_ACCESSORS(memory_size, size_t)
  DECL_PRIMITIVE_ACCESSORS(isolate_root, Address)
  DECL_PRIMITIVE_ACCESSORS(stack_limit_address, Address)