[sandbox] Sandboxify WasmInstanceObject::memory_start
This field points to the start of the WASM memory buffer for the instance, which is an ArrayBuffer and so guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1218005 Change-Id: I847aebf5c29fcf1ab1163809350204db5b685a10 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359630 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78805}
This commit is contained in:
parent
7437c69093
commit
09784fa15e
@ -3480,8 +3480,13 @@ void WasmGraphBuilder::InitInstanceCache(
|
|||||||
WasmInstanceCacheNodes* instance_cache) {
|
WasmInstanceCacheNodes* instance_cache) {
|
||||||
|
|
||||||
// Load the memory start.
|
// Load the memory start.
|
||||||
|
#ifdef V8_SANDBOXED_POINTERS
|
||||||
|
instance_cache->mem_start =
|
||||||
|
LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::SandboxedPointer());
|
||||||
|
#else
|
||||||
instance_cache->mem_start =
|
instance_cache->mem_start =
|
||||||
LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::UintPtr());
|
LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::UintPtr());
|
||||||
|
#endif
|
||||||
|
|
||||||
// Load the memory size.
|
// Load the memory size.
|
||||||
instance_cache->mem_size =
|
instance_cache->mem_size =
|
||||||
|
@ -57,6 +57,10 @@
|
|||||||
|
|
||||||
#define DECL_INT32_ACCESSORS(name) DECL_PRIMITIVE_ACCESSORS(name, int32_t)
|
#define DECL_INT32_ACCESSORS(name) DECL_PRIMITIVE_ACCESSORS(name, int32_t)
|
||||||
|
|
||||||
|
#define DECL_SANDBOXED_POINTER_ACCESSORS(name, type) \
|
||||||
|
DECL_PRIMITIVE_GETTER(name, type) \
|
||||||
|
DECL_PRIMITIVE_SETTER(name, type)
|
||||||
|
|
||||||
#define DECL_RELAXED_INT32_ACCESSORS(name) \
|
#define DECL_RELAXED_INT32_ACCESSORS(name) \
|
||||||
inline int32_t name(RelaxedLoadTag) const; \
|
inline int32_t name(RelaxedLoadTag) const; \
|
||||||
inline void set_##name(int32_t value, RelaxedStoreTag);
|
inline void set_##name(int32_t value, RelaxedStoreTag);
|
||||||
|
@ -840,6 +840,9 @@ void LiftoffAssembler::MergeStackWith(CacheState& target, uint32_t arity,
|
|||||||
target.cached_mem_start, instance,
|
target.cached_mem_start, instance,
|
||||||
ObjectAccess::ToTagged(WasmInstanceObject::kMemoryStartOffset),
|
ObjectAccess::ToTagged(WasmInstanceObject::kMemoryStartOffset),
|
||||||
sizeof(size_t));
|
sizeof(size_t));
|
||||||
|
#ifdef V8_SANDBOXED_POINTERS
|
||||||
|
DecodeSandboxedPointer(target.cached_mem_start);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2967,6 +2967,9 @@ class LiftoffCompiler {
|
|||||||
memory_start = __ GetUnusedRegister(kGpReg, pinned).gp();
|
memory_start = __ GetUnusedRegister(kGpReg, pinned).gp();
|
||||||
LOAD_INSTANCE_FIELD(memory_start, MemoryStart, kSystemPointerSize,
|
LOAD_INSTANCE_FIELD(memory_start, MemoryStart, kSystemPointerSize,
|
||||||
pinned);
|
pinned);
|
||||||
|
#ifdef V8_SANDBOXED_POINTERS
|
||||||
|
__ DecodeSandboxedPointer(memory_start);
|
||||||
|
#endif
|
||||||
__ cache_state()->SetMemStartCacheRegister(memory_start);
|
__ cache_state()->SetMemStartCacheRegister(memory_start);
|
||||||
}
|
}
|
||||||
return memory_start;
|
return memory_start;
|
||||||
@ -4545,6 +4548,9 @@ class LiftoffCompiler {
|
|||||||
uintptr_t offset = imm.offset;
|
uintptr_t offset = imm.offset;
|
||||||
Register addr = pinned.set(__ GetUnusedRegister(kGpReg, pinned)).gp();
|
Register addr = pinned.set(__ GetUnusedRegister(kGpReg, pinned)).gp();
|
||||||
LOAD_INSTANCE_FIELD(addr, MemoryStart, kSystemPointerSize, pinned);
|
LOAD_INSTANCE_FIELD(addr, MemoryStart, kSystemPointerSize, pinned);
|
||||||
|
#ifdef V8_SANDBOXED_POINTERS
|
||||||
|
__ DecodeSandboxedPointer(addr);
|
||||||
|
#endif
|
||||||
__ emit_i32_add(addr, addr, index);
|
__ emit_i32_add(addr, addr, index);
|
||||||
pinned.clear(LiftoffRegister(index));
|
pinned.clear(LiftoffRegister(index));
|
||||||
LiftoffRegister new_value = pinned.set(__ PopToRegister(pinned));
|
LiftoffRegister new_value = pinned.set(__ PopToRegister(pinned));
|
||||||
|
@ -92,6 +92,18 @@ CAST_ACCESSOR(WasmInstanceObject)
|
|||||||
} \
|
} \
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define SANDBOXED_POINTER_ACCESSORS(holder, name, type, offset) \
|
||||||
|
type holder::name() const { \
|
||||||
|
PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this); \
|
||||||
|
Address value = ReadSandboxedPointerField(offset, sandbox_base); \
|
||||||
|
return reinterpret_cast<type>(value); \
|
||||||
|
} \
|
||||||
|
void holder::set_##name(type value) { \
|
||||||
|
PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this); \
|
||||||
|
Address addr = reinterpret_cast<Address>(value); \
|
||||||
|
WriteSandboxedPointerField(offset, sandbox_base, addr); \
|
||||||
|
}
|
||||||
|
|
||||||
// WasmModuleObject
|
// WasmModuleObject
|
||||||
wasm::NativeModule* WasmModuleObject::native_module() const {
|
wasm::NativeModule* WasmModuleObject::native_module() const {
|
||||||
return managed_native_module().raw();
|
return managed_native_module().raw();
|
||||||
@ -188,7 +200,8 @@ bool WasmGlobalObject::SetFuncRef(Isolate* isolate, Handle<Object> value) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// WasmInstanceObject
|
// WasmInstanceObject
|
||||||
PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_start, byte*, kMemoryStartOffset)
|
SANDBOXED_POINTER_ACCESSORS(WasmInstanceObject, memory_start, byte*,
|
||||||
|
kMemoryStartOffset)
|
||||||
PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_size, size_t, kMemorySizeOffset)
|
PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_size, size_t, kMemorySizeOffset)
|
||||||
PRIMITIVE_ACCESSORS(WasmInstanceObject, isolate_root, Address,
|
PRIMITIVE_ACCESSORS(WasmInstanceObject, isolate_root, Address,
|
||||||
kIsolateRootOffset)
|
kIsolateRootOffset)
|
||||||
|
@ -1177,7 +1177,7 @@ Handle<WasmInstanceObject> WasmInstanceObject::New(
|
|||||||
isolate->factory()->NewFixedArray(num_imported_functions);
|
isolate->factory()->NewFixedArray(num_imported_functions);
|
||||||
instance->set_imported_function_refs(*imported_function_refs);
|
instance->set_imported_function_refs(*imported_function_refs);
|
||||||
|
|
||||||
instance->SetRawMemory(nullptr, 0);
|
instance->SetRawMemory(reinterpret_cast<byte*>(EmptyBackingStoreBuffer()), 0);
|
||||||
instance->set_isolate_root(isolate->isolate_root());
|
instance->set_isolate_root(isolate->isolate_root());
|
||||||
instance->set_stack_limit_address(
|
instance->set_stack_limit_address(
|
||||||
isolate->stack_guard()->address_of_jslimit());
|
isolate->stack_guard()->address_of_jslimit());
|
||||||
|
@ -335,7 +335,7 @@ class V8_EXPORT_PRIVATE WasmInstanceObject : public JSObject {
|
|||||||
DECL_OPTIONAL_ACCESSORS(wasm_internal_functions, FixedArray)
|
DECL_OPTIONAL_ACCESSORS(wasm_internal_functions, FixedArray)
|
||||||
DECL_ACCESSORS(managed_object_maps, FixedArray)
|
DECL_ACCESSORS(managed_object_maps, FixedArray)
|
||||||
DECL_ACCESSORS(feedback_vectors, FixedArray)
|
DECL_ACCESSORS(feedback_vectors, FixedArray)
|
||||||
DECL_PRIMITIVE_ACCESSORS(memory_start, byte*)
|
DECL_SANDBOXED_POINTER_ACCESSORS(memory_start, byte*)
|
||||||
DECL_PRIMITIVE_ACCESSORS(memory_size, size_t)
|
DECL_PRIMITIVE_ACCESSORS(memory_size, size_t)
|
||||||
DECL_PRIMITIVE_ACCESSORS(isolate_root, Address)
|
DECL_PRIMITIVE_ACCESSORS(isolate_root, Address)
|
||||||
DECL_PRIMITIVE_ACCESSORS(stack_limit_address, Address)
|
DECL_PRIMITIVE_ACCESSORS(stack_limit_address, Address)
|
||||||
|
Loading…
Reference in New Issue
Block a user