Title: [138293] trunk/Source/WTF
- Revision
- 138293
- Author
- oli...@apple.com
- Date
- 2012-12-20 13:35:56 -0800 (Thu, 20 Dec 2012)
Log Message
Harden pointers in FastMalloc's singly linked list implementation
https://bugs.webkit.org/show_bug.cgi?id=105571
Reviewed by Gavin Barraclough.
Add simple xor based hardening of the next pointer in the
fast malloc singly linked list implementation. We rely on
ASLR to introduce the address randomness we want for the mask.
Happily this produces a very low cost random value to use.
* wtf/FastMalloc.cpp:
(WTF):
(WTF::SLL_Next):
(WTF::SLL_SetNext):
Modified Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (138292 => 138293)
--- trunk/Source/WTF/ChangeLog 2012-12-20 21:22:29 UTC (rev 138292)
+++ trunk/Source/WTF/ChangeLog 2012-12-20 21:35:56 UTC (rev 138293)
@@ -1,3 +1,20 @@
+2012-12-20 Oliver Hunt <oli...@apple.com>
+
+ Harden pointers in FastMalloc's singly linked list implementation
+ https://bugs.webkit.org/show_bug.cgi?id=105571
+
+ Reviewed by Gavin Barraclough.
+
+ Add simple xor based hardening of the next pointer in the
+ fast malloc singly linked list implementation. We rely on
+ ASLR to introduce the address randomness we want for the mask.
+ Happily this produces a very low cost random value to use.
+
+ * wtf/FastMalloc.cpp:
+ (WTF):
+ (WTF::SLL_Next):
+ (WTF::SLL_SetNext):
+
2012-12-19 Oliver Hunt <oli...@apple.com>
StringImpl isolatedCopy unnecessarily copies text-segment character data
Modified: trunk/Source/WTF/wtf/FastMalloc.cpp (138292 => 138293)
--- trunk/Source/WTF/wtf/FastMalloc.cpp 2012-12-20 21:22:29 UTC (rev 138292)
+++ trunk/Source/WTF/wtf/FastMalloc.cpp 2012-12-20 21:35:56 UTC (rev 138293)
@@ -100,6 +100,11 @@
#define FORCE_SYSTEM_MALLOC 1
#endif
+// Harden the pointers stored in the TCMalloc linked lists
+#if COMPILER(GCC)
+#define ENABLE_TCMALLOC_HARDENING 1
+#endif
+
// Use a background thread to periodically scavenge memory to release back to the system
#if PLATFORM(IOS)
#define USE_BACKGROUND_THREAD_TO_SCAVENGE_MEMORY 0
@@ -496,6 +501,23 @@
#define MESSAGE LOG_ERROR
#define CHECK_CONDITION ASSERT
+#if ENABLE(TCMALLOC_HARDENING)
+/*
+ * To make it harder to exploit use-after free style exploits
+ * we mask the addresses we put into our linked lists with the
+ * address of kLLHardeningMask. Due to ASLR the address of
+ * kLLHardeningMask should be sufficiently randomized to make direct
+ * freelist manipulation much more difficult.
+ */
+static const char kLLHardeningMask = 0;
+#define MASK_PTR(ptr) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^reinterpret_cast<uintptr_t>(&kLLHardeningMask)))
+#define UNMASK_PTR(ptr) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^reinterpret_cast<uintptr_t>(&kLLHardeningMask)))
+#else
+#define MASK_PTR(ptr) (ptr)
+#define UNMASK_PTR(ptr) (ptr)
+#endif
+
+
//-------------------------------------------------------------------
// Configuration
//-------------------------------------------------------------------
@@ -662,11 +684,11 @@
// storage.
static inline void *SLL_Next(void *t) {
- return *(reinterpret_cast<void**>(t));
+ return UNMASK_PTR(*(reinterpret_cast<void**>(t)));
}
static inline void SLL_SetNext(void *t, void *n) {
- *(reinterpret_cast<void**>(t)) = n;
+ *(reinterpret_cast<void**>(t)) = MASK_PTR(n);
}
static inline void SLL_Push(void **list, void *element) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
