[wasm] Pad all WASM memories to the next power of 2 size

Combined with existing masking, provides protection against speculative OOB accesses. R=clemensh@chromium.org Bug: chromium:798964 Change-Id: Ib7cdc8bccc6d22b8b45896c63f69cb647deba383 Reviewed-on: https://chromium-review.googlesource.com/856980 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50448}
2018-01-09 15:10:45 +01:00 · 2018-01-09 15:10:45 +01:00 · ae45cc1f5c
commit ae45cc1f5c
parent 826a6e7fbd
2 changed files with 10 additions and 2 deletions
--- a/src/wasm/wasm-limits.h
+++ b/src/wasm/wasm-limits.h
@ -45,6 +45,9 @@ static_assert(kV8MaxWasmMemoryPages <= kSpecMaxWasmMemoryPages,
              "v8 should not be more permissive than the spec");
 constexpr size_t kSpecMaxWasmTableSize = 0xFFFFFFFFu;

+// TODO(titzer): move WASM page size constant here.
+constexpr size_t kV8MaxWasmMemoryBytes = kV8MaxWasmMemoryPages * 65536;
+
 constexpr uint64_t kWasmMaxHeapOffset =
    static_cast<uint64_t>(
        std::numeric_limits<uint32_t>::max())  // maximum base value
--- a/src/wasm/wasm-memory.cc
+++ b/src/wasm/wasm-memory.cc
@ -86,10 +86,15 @@ void* TryAllocateBackingStore(Isolate* isolate, size_t size,

    return memory;
  } else {
+    // TODO(titzer): use guard regions for minicage and merge with above code.
+    CHECK_LE(size, kV8MaxWasmMemoryBytes);
+    *allocation_length =
+        base::bits::RoundUpToPowerOfTwo32(static_cast<uint32_t>(size));
    void* memory =
-        size == 0 ? nullptr : isolate->array_buffer_allocator()->Allocate(size);
+        size == 0
+            ? nullptr
+            : isolate->array_buffer_allocator()->Allocate(*allocation_length);
    *allocation_base = memory;
-    *allocation_length = size;
    return memory;
  }
 }