| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
[fuzzilli] Convert fuzzilli native function into an extension This untangles the fuzzilli function from the d8 shell such that other embedders can make use of it and implement their own fuzzing REPRL. Change-Id: Ie0554f06cac756b6b53d9517986c5d241fa4d5f3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5093856 Reviewed-by: Samuel Groß <saelo@chromium.org> Commit-Queue: Carl Smith <cffsmith@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#91448} | 2 年前 | |
[sandbox][fuzzing] Add support for fuzzing with hardware sandboxing This CL now makes it possible to fuzz coverage-instrumented builds with hardware sandboxing enabled. For that, we need to make the coverage bitmap and edge guards sandbox-accessible as they are written to in sandboxed-execution mode, for example when executing sandboxed C++ code. Bug: 350324877 Change-Id: Ib19b2ca8dc595c63c722199498b036e21b13ede6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6874323 Auto-Submit: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#101989} | 10 个月前 | |
[sandbox][fuzzing] Add support for fuzzing with hardware sandboxing This CL now makes it possible to fuzz coverage-instrumented builds with hardware sandboxing enabled. For that, we need to make the coverage bitmap and edge guards sandbox-accessible as they are written to in sandboxed-execution mode, for example when executing sandboxed C++ code. Bug: 350324877 Change-Id: Ib19b2ca8dc595c63c722199498b036e21b13ede6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6874323 Auto-Submit: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#101989} | 10 个月前 | |
[sandbox] Introduce AbortWithSandboxViolation Normally, for sandbox testing/fuzzing, we ignore Abort(), CHECK() etc. as these represent controlled (and therefore safe) crashes. However, there are cases where we can detect a compromised state, but only too late to reliably mitigate exploitation. For these cases, we now introduce a new AbortWithSandboxViolation function which can be used to crash but still report a sandbox violation during fuzzing. One specific use case is the interpreter executing an unknown bytecode. This typically means that we're executing arbitrary bytecode, and just happen to execute an invalid opcode. However, as the bytecode may be attacker-controlled, this is likely an exploitable condition. Prior to this change, our sandbox fuzzers would not treat this as a sandbox violation as we'd crash with a nullptr deref. With this CL, we now use AbortWithSandboxViolation to report this appropriately. Bug: 461681036 Change-Id: I7afee7bf7c762cae6ffd7b8515c693e8e1401466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7203123 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103959} | 7 个月前 | |
[base] Clean up Vector construction and conversion Allow converting Vector<T> and Vector<const T> to Vector<const U> if T* converts to const U* and T and U have the same size. As long as we do not write to the U pointer, this is safe. And we cannot write because we only allow this for const U*. Also audit Vector construction and remove unneeded casts and redundant template arguments, sometimes by switching to VectorOf`. R=jkummerow@chromium.org Change-Id: I76cfa7328ac5adc210fbe1c662716968ca58ecf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5913528 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#96566} | 1 年前 |
| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
| 2 年前 | ||
| 10 个月前 | ||
| 10 个月前 | ||
| 7 个月前 | ||
| 1 年前 |