Protect heap metadata in Oilpan.

third_party/WebKit/Source/platform/heap/HeapPage.h

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 13 matching lines @@
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #ifndef HeapPage_h
 #define HeapPage_h
 
+#include <stdint.h>
 #include "base/trace_event/memory_allocator_dump.h"
 #include "platform/PlatformExport.h"
 #include "platform/heap/BlinkGC.h"
 #include "platform/heap/GCInfo.h"
 #include "platform/heap/ThreadState.h"
 #include "platform/heap/Visitor.h"
 #include "wtf/AddressSanitizer.h"
 #include "wtf/Allocator.h"
 #include "wtf/Assertions.h"
 #include "wtf/ContainerAnnotations.h"
 #include "wtf/Forward.h"
 #include "wtf/allocator/Partitions.h"
-#include <stdint.h>
 
 namespace blink {
 
 const size_t blinkPageSizeLog2 = 17;
 const size_t blinkPageSize = 1 << blinkPageSizeLog2;
 const size_t blinkPageOffsetMask = blinkPageSize - 1;
 const size_t blinkPageBaseMask = ~blinkPageOffsetMask;
 
 // We allocate pages at random addresses but in groups of
 // blinkPagesPerRegion at a given random address. We group pages to
@@ skipping 60 matching lines @@
 #else
 #define SET_MEMORY_INACCESSIBLE(address, size) memset((address), 0, (size))
 #define SET_MEMORY_ACCESSIBLE(address, size) \
   do {                                       \
   } while (false)
 #define CHECK_MEMORY_INACCESSIBLE(address, size) \
   do {                                           \
   } while (false)
 #endif
 
-#if !DCHECK_IS_ON() && CPU(64BIT)
-#define USE_4BYTE_HEADER_PADDING 1
-#else
-#define USE_4BYTE_HEADER_PADDING 0
-#endif
-
 class NormalPageArena;
 class PageMemory;
 
 // HeapObjectHeader is 4 byte (32 bit) that has the following layout:
 //
 // | gcInfoIndex (14 bit) |
 // | DOM mark bit (1 bit) |
 // | size (14 bit)        |
 // | dead bit (1 bit)     |
 // | freed bit (1 bit)    |
@@ skipping 29 matching lines @@
     nonLargeObjectPageSizeMax >= blinkPageSize,
     "max size supported by HeapObjectHeader must at least be blinkPageSize");
 
 class PLATFORM_EXPORT HeapObjectHeader {
   DISALLOW_NEW_EXCEPT_PLACEMENT_NEW();
 
  public:
   // If gcInfoIndex is 0, this header is interpreted as a free list header.
   NO_SANITIZE_ADDRESS
   HeapObjectHeader(size_t size, size_t gcInfoIndex) {
-#if DCHECK_IS_ON()
-    m_magic = magic;
-#endif
+    m_magic = getMagic();
     // sizeof(HeapObjectHeader) must be equal to or smaller than
     // allocationGranurarity, because HeapObjectHeader is used as a header
     // for an freed entry.  Given that the smallest entry size is
     // allocationGranurarity, HeapObjectHeader must fit into the size.
     static_assert(
         sizeof(HeapObjectHeader) <= allocationGranularity,
         "size of HeapObjectHeader must be smaller than allocationGranularity");
 #if CPU(64BIT)

[sof, 2017/02/11 06:38:10]

To the extent that it is still useful, this static_assert() can now be
unconditionally used.

     static_assert(sizeof(HeapObjectHeader) == 8,
                   "size of HeapObjectHeader must be 8 byte aligned");
 #endif
 
     ASSERT(gcInfoIndex < GCInfoTable::maxIndex);
     ASSERT(size < nonLargeObjectPageSizeMax);
     ASSERT(!(size & allocationMask));
     m_encoded = static_cast<uint32_t>(
         (gcInfoIndex << headerGCInfoIndexShift) | size |
         (gcInfoIndex == gcInfoIndexForFreeListHeader ? headerFreedBitMask : 0));
@@ skipping 23 matching lines @@
   void markWrapperHeader();
   void unmarkWrapperHeader();
   bool isMarked() const;
   void mark();
   void unmark();
 
   Address payload();
   size_t payloadSize();
   Address payloadEnd();
 
-#if DCHECK_IS_ON()
+  // TODO(633030): Make |checkHeader| and |zapMagic| private. This class should
+  // manage its integrity on its own, without requiring outside callers to
+  // explicitly check.
   bool checkHeader() const;
   // Zap magic number with a new magic number that means there was once an
   // object allocated here, but it was freed because nobody marked it during
   // GC.
   void zapMagic();
-#endif
 
   void finalize(Address, size_t);
   static HeapObjectHeader* fromPayload(const void*);
 
-  static const uint16_t magic = 0xfff1;
-  static const uint16_t zappedMagic = 0x4321;
+  static const uint32_t zappedMagic = 0xDEAD4321;
 
  private:
-  uint32_t m_encoded;
-#if DCHECK_IS_ON()
-  uint16_t m_magic;
+  // Returns a random value.

[sof, 2017/02/11 06:38:10]

Just a syntactic issue -- could you declare getMagic() here and define it via an
'inline' below, like we do for other non-trivial methods of this class?

[palmer, 2017/02/14 22:49:50]

Done.

+  //
+  // The implementation gets its randomness from the locations of 2 independent
+  // sources of address space layout randomization: a function in a Chrome
+  // executable image, and a function in an external DLL/so. This implementation
+  // should be fast and small, and should have the benefit of requiring
+  // attackers to discover and use 2 independent weak infoleak bugs, or 1
+  // arbitrary infoleak bug (used twice).
+  uint32_t getMagic() const {
+    const uintptr_t random1 =
+        ~(reinterpret_cast<uintptr_t>(
+              base::trace_event::MemoryAllocatorDump::kNameSize) >>
+          16);
+
+#if OS(WIN)
+    const uintptr_t random2 = ~(reinterpret_cast<uintptr_t>(::ReadFile) << 16);
+#elif OS(POSIX)
+    const uintptr_t random2 = ~(reinterpret_cast<uintptr_t>(::read) << 16);
+#else
+#error OS not supported
 #endif
 
-// In 64 bit architectures, we intentionally add 4 byte padding immediately
-// after the HeapObjectHeader. This is because:
-//
-// | HeapObjectHeader (4 byte)   |  <- 8 byte aligned
-// | padding (4 byte)            |
-// | object payload (8 * n byte) |  <- 8 byte aligned
-//
-// is better than:
-//
-// | HeapObjectHeader (4 byte)   |  <- 4 byte aligned
-// | object payload (8 * n byte) |  <- 8 byte aligned
-// | padding (4 byte)            |  <- 4 byte aligned
-//
-// since the former layout aligns both header and payload to 8 byte.
-#if USE_4BYTE_HEADER_PADDING
- public:
-  uint32_t m_padding;
+#if CPU(64BIT)
+    static_assert(sizeof(uintptr_t) == sizeof(uint64_t),
+                  "uintptr_t is not uint64_t");
+    const uint32_t random = static_cast<uint32_t>(
+        (random1 & 0x0FFFFULL) | ((random2 >> 32) & 0x0FFFF0000ULL));
+#elif CPU(32BIT)
+    static_assert(sizeof(uintptr_t) == sizeof(uint32_t),
+                  "uintptr_t is not uint32_t");
+    const uint32_t random = (random1 & 0x0FFFFUL) | (random2 & 0xFFFF0000UL);
+#else
+#error architecture not supported
 #endif
+
+    return random;
+  }
+
+  uint32_t m_magic;
+  uint32_t m_encoded;
 };
 
 class FreeListEntry final : public HeapObjectHeader {
  public:
   NO_SANITIZE_ADDRESS
   explicit FreeListEntry(size_t size)
       : HeapObjectHeader(size, gcInfoIndexForFreeListHeader), m_next(nullptr) {
 #if DCHECK_IS_ON()
     ASSERT(size >= sizeof(HeapObjectHeader));
     zapMagic();
@@ skipping 565 matching lines @@
 NO_SANITIZE_ADDRESS inline size_t HeapObjectHeader::size() const {
   size_t result = m_encoded & headerSizeMask;
   // Large objects should not refer to header->size().
   // The actual size of a large object is stored in
   // LargeObjectPage::m_payloadSize.
   ASSERT(result != largeObjectSizeInHeader);
   ASSERT(!pageFromObject(this)->isLargeObjectPage());
   return result;
 }
 
-#if DCHECK_IS_ON()
 NO_SANITIZE_ADDRESS inline bool HeapObjectHeader::checkHeader() const {
-  return m_magic == magic;
+  return m_magic == getMagic();
 }
-#endif
 
 inline Address HeapObjectHeader::payload() {
   return reinterpret_cast<Address>(this) + sizeof(HeapObjectHeader);
 }
 
 inline Address HeapObjectHeader::payloadEnd() {
   return reinterpret_cast<Address>(this) + size();
 }
 
 NO_SANITIZE_ADDRESS inline size_t HeapObjectHeader::payloadSize() {
@@ skipping 67 matching lines @@
   return outOfLineAllocate(allocationSize, gcInfoIndex);
 }
 
 inline NormalPageArena* NormalPage::arenaForNormalPage() const {
   return static_cast<NormalPageArena*>(arena());
 }
 
 }  // namespace blink
 
 #endif  // HeapPage_h