OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2003 Apple Computer, Inc. | 2 * Copyright (C) 2003 Apple Computer, Inc. |
3 * Copyright (C) Research In Motion Limited 2010. All rights reserved. | 3 * Copyright (C) Research In Motion Limited 2010. All rights reserved. |
4 * | 4 * |
5 * Portions are Copyright (C) 1998 Netscape Communications Corporation. | 5 * Portions are Copyright (C) 1998 Netscape Communications Corporation. |
6 * | 6 * |
7 * This library is free software; you can redistribute it and/or | 7 * This library is free software; you can redistribute it and/or |
8 * modify it under the terms of the GNU Lesser General Public | 8 * modify it under the terms of the GNU Lesser General Public |
9 * License as published by the Free Software Foundation; either | 9 * License as published by the Free Software Foundation; either |
10 * version 2.1 of the License, or (at your option) any later version. | 10 * version 2.1 of the License, or (at your option) any later version. |
(...skipping 18 matching lines...) Expand all Loading... |
29 * version of this file under the LGPL, indicate your decision by | 29 * version of this file under the LGPL, indicate your decision by |
30 * deletingthe provisions above and replace them with the notice and | 30 * deletingthe provisions above and replace them with the notice and |
31 * other provisions required by the MPL or the GPL, as the case may be. | 31 * other provisions required by the MPL or the GPL, as the case may be. |
32 * If you do not delete the provisions above, a recipient may use your | 32 * If you do not delete the provisions above, a recipient may use your |
33 * version of this file under any of the LGPL, the MPL or the GPL. | 33 * version of this file under any of the LGPL, the MPL or the GPL. |
34 */ | 34 */ |
35 | 35 |
36 #include "config.h" | 36 #include "config.h" |
37 #include "RenderArena.h" | 37 #include "RenderArena.h" |
38 | 38 |
| 39 #include <limits> |
39 #include <stdlib.h> | 40 #include <stdlib.h> |
40 #include <string.h> | 41 #include <string.h> |
41 #include <wtf/Assertions.h> | 42 #include <wtf/Assertions.h> |
| 43 #include <wtf/CryptographicallyRandomNumber.h> |
42 | 44 |
43 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) | 45 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) |
44 | 46 |
45 #ifdef NDEBUG | 47 #ifdef NDEBUG |
46 static void* MaskPtr(void* p, uintptr_t mask) | 48 static void* MaskPtr(void* p, uintptr_t mask) |
47 { | 49 { |
48 return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ mask); | 50 return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ mask); |
49 } | 51 } |
50 #endif | 52 #endif |
51 | 53 |
(...skipping 30 matching lines...) Expand all Loading... |
82 memset(m_recyclers, 0, sizeof(m_recyclers)); | 84 memset(m_recyclers, 0, sizeof(m_recyclers)); |
83 | 85 |
84 // Mask freelist pointers to detect corruption and stop freelist spraying. | 86 // Mask freelist pointers to detect corruption and stop freelist spraying. |
85 // We use an arbitray function and rely on ASLR to randomize it. | 87 // We use an arbitray function and rely on ASLR to randomize it. |
86 // The first value in RenderObject (or any class) is a vtable pointer, which | 88 // The first value in RenderObject (or any class) is a vtable pointer, which |
87 // always overlaps with the next pointer. This change guarantees that the | 89 // always overlaps with the next pointer. This change guarantees that the |
88 // masked vtable/next pointer will never point to valid memory. So, we | 90 // masked vtable/next pointer will never point to valid memory. So, we |
89 // should immediately crash on the first invalid vtable access for a stale | 91 // should immediately crash on the first invalid vtable access for a stale |
90 // RenderObject pointer. | 92 // RenderObject pointer. |
91 // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf. | 93 // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf. |
92 | 94 WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask)); |
93 // The bottom bits are predictable because the binary is loaded on a | 95 m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::dig
its - 2)) | 1; |
94 // boundary. This just shifts most of those predictable bits out. | |
95 m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13); | |
96 } | 96 } |
97 | 97 |
98 RenderArena::~RenderArena() | 98 RenderArena::~RenderArena() |
99 { | 99 { |
100 FinishArenaPool(&m_pool); | 100 FinishArenaPool(&m_pool); |
101 } | 101 } |
102 | 102 |
103 void* RenderArena::allocate(size_t size) | 103 void* RenderArena::allocate(size_t size) |
104 { | 104 { |
105 ASSERT(size <= gMaxRecycledSize - 32); | 105 ASSERT(size <= gMaxRecycledSize - 32); |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
161 size = ROUNDUP(size, sizeof(void*)); | 161 size = ROUNDUP(size, sizeof(void*)); |
162 | 162 |
163 const size_t index = size >> kRecyclerShift; | 163 const size_t index = size >> kRecyclerShift; |
164 void* currentTop = m_recyclers[index]; | 164 void* currentTop = m_recyclers[index]; |
165 m_recyclers[index] = ptr; | 165 m_recyclers[index] = ptr; |
166 *((void**)ptr) = MaskPtr(currentTop, m_mask); | 166 *((void**)ptr) = MaskPtr(currentTop, m_mask); |
167 #endif | 167 #endif |
168 } | 168 } |
169 | 169 |
170 } // namespace WebCore | 170 } // namespace WebCore |
OLD | NEW |