| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
[sandbox] Improve formating of src/sandbox/GLOSSARY.md We now force line breaks with <br> to ensure the individual blocks are nicely formatted in a markdown viewer. We also now make the item names ("Summary", "Implementation", etc.) bold instead of italic. Change-Id: I49a909512a73cef3c7a522e5fd0a798b18439b79 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5103871 Auto-Submit: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#91436} | 2 年前 | |
[sandbox] add sroettger@ to sandbox/OWNERS Change-Id: I39656b52ff1ed946d7aee649fbc5851401ef0590 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6109517 Commit-Queue: Stephen Röttger <sroettger@google.com> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#97912} | 1 年前 | |
sandbox-testing: Fix typos. I tried --sandbox-testing today and there was a typo. This patch fixes all of them. Bug: None Change-Id: I4f9b306c1ce7eb7852cdcc2ce595906ccc624fcc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097997 Reviewed-by: Samuel Groß <saelo@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#97855} | 1 年前 | |
[iwyu] Fix includes and declarations for inl headers inl headers should include their non-inl counterpart first, and the non-inl header should declare the functions defined in the inl header. This CL fixes a few places which violated these rules. This is not complete, but enough to land the follow-up CL which includes src/execution/isolate-inl.h from src/execution/isolate-utils-inl.h. R=mlippautz@chromium.org Bug: 396607238 Change-Id: Ia877b38829aa870bc7dd71e4b319608db0d6b252 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6276458 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#98797} | 1 年前 | |
[iwyu] Fix includes and declarations for inl headers inl headers should include their non-inl counterpart first, and the non-inl header should declare the functions defined in the inl header. This CL fixes a few places which violated these rules. This is not complete, but enough to land the follow-up CL which includes src/execution/isolate-inl.h from src/execution/isolate-utils-inl.h. R=mlippautz@chromium.org Bug: 396607238 Change-Id: Ia877b38829aa870bc7dd71e4b319608db0d6b252 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6276458 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#98797} | 1 年前 | |
Reland "[sandbox] Build foundation for bytecode verification" This is a reland of commit 4fc454962b371d3e5f94ba8d03f8268a66cf49df Gracefully handle non-initialized BytecodeWrapper in heap verification. Original change's description: > [sandbox] Build foundation for bytecode verification > > This CL creates the foundation for building bytecode verification and > enforcing that all bytecode is verified before use. It does not yet > implement any actual verification, which will be added in future CLs. > > Specifically, we introduce the BytecodeVerifier class that will be able > to verify bytecode in the future. Currently the verification is a no-op. > Then, we modify the BytecodeArray creation machinery to initially create > BytecodeArray objects in an unpublished state (see crrev.com/c/7172412) > and only make them accessible to the sandbox after verification. This > helps ensure that all bytecode is verified prior to use. > > Bug: 461681036 > Change-Id: I024db361f85d4aca24fae9cbd665d29b2b78fd64 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7169863 > Reviewed-by: Michael Lippautz <mlippautz@chromium.org> > Commit-Queue: Samuel Groß <saelo@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#104003} Bug: 461681036 Change-Id: I1f0262132940a07249721b93b22b62627eb22191 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7209327 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#104007} | 7 个月前 | |
Reland "[sandbox] Build foundation for bytecode verification" This is a reland of commit 4fc454962b371d3e5f94ba8d03f8268a66cf49df Gracefully handle non-initialized BytecodeWrapper in heap verification. Original change's description: > [sandbox] Build foundation for bytecode verification > > This CL creates the foundation for building bytecode verification and > enforcing that all bytecode is verified before use. It does not yet > implement any actual verification, which will be added in future CLs. > > Specifically, we introduce the BytecodeVerifier class that will be able > to verify bytecode in the future. Currently the verification is a no-op. > Then, we modify the BytecodeArray creation machinery to initially create > BytecodeArray objects in an unpublished state (see crrev.com/c/7172412) > and only make them accessible to the sandbox after verification. This > helps ensure that all bytecode is verified prior to use. > > Bug: 461681036 > Change-Id: I024db361f85d4aca24fae9cbd665d29b2b78fd64 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7169863 > Reviewed-by: Michael Lippautz <mlippautz@chromium.org> > Commit-Queue: Samuel Groß <saelo@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#104003} Bug: 461681036 Change-Id: I1f0262132940a07249721b93b22b62627eb22191 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7209327 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#104007} | 7 个月前 | |
[sandbox] Make SBXCHECK a CHECK on non-sandboxed builds Since the majority of SBXCHECKs are also useful in the case of non-sandboxed builds and given we sometimes convert existing CHECKs to SBXCHECKs simply to communicate intent, we should not disable them on non-sandboxed builds. Change-Id: I50ff486c06a6bbcf1e80f684f96acb13f1fc1d06 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6862992 Auto-Submit: Olivier Flückiger <olivf@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#101946} | 10 个月前 | |
[sandbox] Don't allow to use disabled builtins, pt.2 ... i.e. the ones that belong to features that are not currently enabled. This CL: - adds kDisabledBuiltinEntrypointTag, - adds Code::is_disabled_builtin() flag which is set during RO heap deserialization for disabled JS builtins, - disables builtins by using kDisabledBuiltinEntrypointTag for them instead of kJSEntrypointTag, - initializes preallocated dispatch table entries for disabled builtins with Illegal builtin's Code. Drive-by: - add TEST_WITH_FLAG macro for cctests which need to change flag values before initializing the Isolate, - fixed respective cctests. Bug: 435630464 Change-Id: Ibfd8f66ede06210e79184fde027331775c80634b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7003083 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#102936} | 8 个月前 | |
[sandbox] Introduce GetCurrentIsolateForSandbox This is the safer alternative to GetIsolateForSandbox which reads the isolate from an on-heap object and can thus return an isolate which is not the "current" isolate. As we now include "src/execution/isolate-inl.h" in "src/sandbox/isolate-inl.h" we also need to resolve a few missing includes or missing declarations. R=jkummerow@chromium.org Bug: 396607238, 393402168 Change-Id: I697bb22a92b625868dc69b9054a14218e2002c47 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6276454 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#98791} | 1 年前 | |
[cleanup] Fix inl header includes We have many inl headers which either do not include their non-inl header, or are including other headers first. Both can lead to compile errors because definitions of inline functions might not be visible in inl headers. This CL adds a script to fix those includes, and runs it over the whole code base. R=leszeks@chromium.org Change-Id: I1b7b04c59e5a5b89308512bfc40729f7ec4afc38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6387805 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#99453} | 1 年前 | |
[isolate-groups][sandbox] Replace CPT global with a per isolate group. This is another small step towards the multiple sandboxes configuration. We move CPT into isolate group so that when we have one sandbox per isolate group we can have multiple CPTs. Bug: 342905186 Change-Id: I629fab94b74c4780ae769da3ddfa840384c8a3e8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5771058 Commit-Queue: Dmitry Bezhetskov <dima00782@gmail.com> Reviewed-by: Stephen Röttger <sroettger@google.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#96594} | 1 年前 | |
[ept] All table spaces have the allocate_black flag The allocate_black flag was implemented multiple times in different Space variants, but in the end, all used sub-classes of ExternalEntityTable::Space had it. This CL moves the flag to externalEntityTable::Space, and removes all other implementations. Bug: 452861566 Change-Id: I3b2004e5a8511dcdb47cb18b48962b462f710275 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7068352 Commit-Queue: Andreas Haas <ahaas@google.com> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#103323} | 8 个月前 | |
[sandbox] Introduce CodeEntrypointTag When the sandbox is enabled, a Code's entrypoint pointer is stored in the code pointer table (CPT). Then, any code entrypoint exposed in the CPT can be invoked by an attacker from any place that does a control flow transfer through the CPT. This can be problematic if the calling convention differs between caller and callee. For example, bytecode handlers are currently available through the CPT, but do not expect to be called in the context of e.g. a JavaScript function, and will misbehave if they are. This CL now introduces a CodeEntrypointTag enum to solve this issue: the tag is XORed into the top bits of the entrypoint pointer, and the callsite must then untag the pointer with the expected tag. If the tags mismatch, the pointer will be invalid. For now, there are only two tags: the default tag and the bytecode handler tag. As we never expect to call into a bytecode handler through the CPT, no callsite needs to change as part of this CL. However, in the future we'll likely want to distinguish between e.g. Wasm, RegExp, and JavaScript code, at which point the respective callsites will need to performing the untagging. Bug: chromium:1507800 Change-Id: If0c4c01b402dab631a04213cb7ef588a7d201763 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5130973 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#91660} | 2 年前 | |
Reland^2 "Embedding feedback in BytecodeArray for StrictEqual" This is a reland of commit e295f1f18da01c386eda73f535fb67a56c004d88 Original change's description: > Reland "Embedding feedback in BytecodeArray for StrictEqual" > > This is a reland of commit f0fed41e48b1966e3e565ae278d018da538ef123 > > Original change's description: > > Embedding feedback in BytecodeArray for StrictEqual > > > > This CL removes the feedback vector slot for StrictEqual and stores its feedback values directly in the BytecodeArray. Optimized compilers will now access the type feedback from the BytecodeArray. > > > > Before: > > 75 04 00 TestEqualStrict a1, [0] > > > > After: > > 75 04 00 00 TestEqualStrict a1, #0 > > > > This change saves moemory by reducing FeedbackVector size, and is part of the Sparkplug+ optimization effort. > > > > Bug: chromium:429351411 > > Change-Id: I24390811c12755b0a19beaefe2b0319d75ceaf6c > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6986847 > > Reviewed-by: Xu, Hao A <hao.a.xu@intel.com> > > Commit-Queue: Wei, Yuheng <yuheng.wei@intel.com> > > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > > Cr-Commit-Position: refs/heads/main@{#103656} > > Bug: chromium:429351411 > Change-Id: I77286b0e9c65f8a9e257a2125adab7f68fe09aec > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7148333 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Commit-Queue: Wei, Yuheng <yuheng.wei@intel.com> > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#103800} Bug: chromium:429351411 Change-Id: I5020c9dffbed90ff207520728b13cf0dbcfb5903 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7197099 Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Wei, Yuheng <yuheng.wei@intel.com> Cr-Commit-Position: refs/heads/main@{#103962} | 7 个月前 | |
[cleanup] Fix inl header includes We have many inl headers which either do not include their non-inl header, or are including other headers first. Both can lead to compile errors because definitions of inline functions might not be visible in inl headers. This CL adds a script to fix those includes, and runs it over the whole code base. R=leszeks@chromium.org Change-Id: I1b7b04c59e5a5b89308512bfc40729f7ec4afc38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6387805 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#99453} | 1 年前 | |
[base] Merge SpinningMutex back into Mutex They are now the same; beyond that we can't do ave THREAD_SAFETY_ANALYSIS on a bunch of previous SpinningMutex cases, so we'll need to propagate this into Mutex. Bug: 384940357 Change-Id: Ifbd4ffc4090738455036f32d9a5cf813b9f15781 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6244422 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#98597} | 1 年前 | |
[cleanup] Delete test-only CppHeapPointerTable method The method WriteLazilyInitializedCppHeapPointerField<> got obsolete during a recent refactoring, and since then was only called in tests. With this CL, the new version of WriteLazilyInitializedCppHeapPointerField is used in the tests, and the obsolete version gets deleted. Change-Id: I79290034ea3cdf9bb360c843ad3767bd6b1861b3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7040944 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#103124} | 8 个月前 | |
[cleanup] Fix inl header includes We have many inl headers which either do not include their non-inl header, or are including other headers first. Both can lead to compile errors because definitions of inline functions might not be visible in inl headers. This CL adds a script to fix those includes, and runs it over the whole code base. R=leszeks@chromium.org Change-Id: I1b7b04c59e5a5b89308512bfc40729f7ec4afc38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6387805 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#99453} | 1 年前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
[cleanup] Delete test-only CppHeapPointerTable method The method WriteLazilyInitializedCppHeapPointerField<> got obsolete during a recent refactoring, and since then was only called in tests. With this CL, the new version of WriteLazilyInitializedCppHeapPointerField is used in the tests, and the obsolete version gets deleted. Change-Id: I79290034ea3cdf9bb360c843ad3767bd6b1861b3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7040944 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#103124} | 8 个月前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
[api] Add type tags to v8::External API So far, v8::External used a generic type tag to store pointers in the external pointer table. With this CL, new methods are added to v8::External that allow to provide type tags explicitly. Change-Id: I417de2bd0991efc2527badd8f23d1696795debb6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6973466 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#102824} | 9 个月前 | |
[sandbox] Add ExternalPointerTable::DuplicateEntry The method is needed to grow the EmbedderDataArray without knowing the type tags for individual AlignedPointer entries. So far, all AlignedPointer entries used the same tag, but that should change to improve security. Bug: 433909571 Change-Id: I13f9d4fe0f36bab5961e646d8190bf7b49ff3a6f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6806035 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#101770} | 10 个月前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
sandbox: Add table printers behind gn arg v8_enable_object_print This adds the following printers: - %DebugPrintExternalPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintExternalPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. - %DebugPrintCppHeapPointerTable() Optionally accepts one or two arguments for filtering handles. - %DebugPrintCppHeapPointerTableFilterTag() Optionally accepts one or two arguments for filtering tags. Example: d8> %DebugPrintExternalPointerTable() ExternalPointerTable: +-----------------------------------------+ | Read-only space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 0 | 0 | 0x0000000000000000 | | 1 | 60 | 0x00007ff0aeef5cc0 | | 2 | 60 | 0x00007ff0aeef60e0 | | 3 | 62 | 0x00007ff0aeef0c30 | +-----------------------------------------+ +-----------------------------------------+ | Young space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 10240 | 86 | 0x000056187506d070 | +-----------------------------------------+ +-----------------------------------------+ | Old space | +-----------------------------------------+ | handle | tag | external pointer | +-----------------------------------------+ | 8192 | 60 | 0x00007ff0b094a390 | | 8193 | 60 | 0x00007ff0b0955d30 | +-----------------------------------------+ Change-Id: I7f9eca246b55c0fee03e301d7f279a741a580785 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7130226 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103608} | 7 个月前 | |
[api] Add type tags to v8::External API So far, v8::External used a generic type tag to store pointers in the external pointer table. With this CL, new methods are added to v8::External that allow to provide type tags explicitly. Change-Id: I417de2bd0991efc2527badd8f23d1696795debb6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6973466 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#102824} | 9 个月前 | |
[sandbox] Make Wasm stack memory accessible to sandboxed code This CL makes two pieces of memory accessible to sandboxed code: 1. The memory used for Wasm stacks. As this memory will be used as the stack when executing code after a stack switch, it needs to be accessible just like the default stack. 2. The wasm::StackMemory object. This is an unsafe workaround currently required since the (sandboxed) Wasm stack-switching builtins need to write into the JumpBuffer struct embedded in this object. See https://crbug.com/427946951 for possible options for the proper fix. Bug: 427946951, 350324877 Change-Id: I4150d05fce79ca6f21d8af19f13644547eb214a4 Cq-Include-Trybots: luci.v8.try:v8_linux64_pku_dbg,v8_linux64_pku_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6678715 Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#101264} | 11 个月前 | |
[sandbox] Don't use signal handlers on older kernels ... ... when hardware sandboxing is active. This is a workaround for an issue in older kernels when delivering signals on an alternate stack on a thread that doesn't have write access to the default pkey. The behavior has been fixed on kernel 6.12, so with this CL, we now check for the current kernel version and disable trap handlers (such as the Wasm trap handler) if the kernel version is too old and we want to use hardware sandboxing. Bug: 429173713, 350324877 Change-Id: I4a0ed92305f3da84c0b6939ad90d8e22d6ffb36b Cq-Include-Trybots: luci.v8.try:v8_linux64_pku_dbg,v8_linux64_pku_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6703657 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#101234} | 11 个月前 | |
[tagged] Introduce TrustedPointerMember This helper class simplifies defining trusted pointer members in HeapObjectLayout subclasses. Bug: 42202654 Change-Id: I505f9f70a0128899d13a464eda15026f5a435cc0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7181920 Reviewed-by: Samuel Groß <saelo@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#103897} | 7 个月前 | |
[sandbox] Expand trusted object unpublishing mechanism This CL expands the "publishing" mechanism for trusted objects. Previously, we already had a special "unpublished" tag that could be used to make trusted objects inaccessible from within the sandbox. We now expand the machinery around this tag to allow objects to be allocated in an unpublished state and then be published later on. For that, we also fix a bug that previously allowed unpublished objects to still be accessed from inside the sandbox through the kUnknownIndirectPointerTag (used e.g. for the SFI). The new, more flexible unpublishing mechanism will be used in follow-up CLs to make bytecode inaccessible until it has been validated. Drive-By: rename init_self_indirect_pointer to InitAndPublish since this method does non-trivial work and so should probably be uppercased. Bug: 461681036 Change-Id: Iad0224beb89ef1bd625b5cdc51a77cef12642159 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7172412 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103956} | 7 个月前 | |
[tagged] Introduce TrustedPointerMember This helper class simplifies defining trusted pointer members in HeapObjectLayout subclasses. Bug: 42202654 Change-Id: I505f9f70a0128899d13a464eda15026f5a435cc0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7181920 Reviewed-by: Samuel Groß <saelo@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#103897} | 7 个月前 | |
Remove GetIsolateForSandbox(Tagged<HeapObject>) This already has a CHECK that it returns the same as GetCurrentIsolateForSandbox(), so use that instead. R=ishell@chromium.org Bug: 396607238 Change-Id: Ie0de59a49b15ec2a4abdf419e0689a430ee8a3be Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6586570 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#100516} | 1 年前 | |
Remove GetIsolateForSandbox(Tagged<HeapObject>) This already has a CHECK that it returns the same as GetCurrentIsolateForSandbox(), so use that instead. R=ishell@chromium.org Bug: 396607238 Change-Id: Ie0de59a49b15ec2a4abdf419e0689a430ee8a3be Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6586570 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#100516} | 1 年前 | |
[sandbox][maglev] Generate direct calls only to compatible builtins ... i.e. to enabled JS builtins having compatible parameter count and which are not JS trampolines (it doesn't make sense to call them from generated code). NO_IFTTT=Introducing IFTTT, no logical change. Fixed: 454927471 Change-Id: I91914ffe5854b5d2e19b3644c7d28b93d7598e38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7102180 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#103439} | 8 个月前 | |
[cleanup] remove V8_ENABLE_LEAPTIERING as it's always defined Change-Id: I63421cc19f96e4063178f1ad83b3215f0f2bbbea Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7100740 Reviewed-by: Olivier Flückiger <olivf@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Dan Carney <dcarney@chromium.org> Cr-Commit-Position: refs/heads/main@{#103430} | 8 个月前 | |
[cleanup] remove V8_ENABLE_LEAPTIERING as it's always defined Change-Id: I63421cc19f96e4063178f1ad83b3215f0f2bbbea Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7100740 Reviewed-by: Olivier Flückiger <olivf@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Dan Carney <dcarney@chromium.org> Cr-Commit-Position: refs/heads/main@{#103430} | 8 个月前 | |
[sandbox] Make Wasm tiering budget array accessible to sandboxed code The Wasm tiering_budgets array is updated during execution of Wasm functions and used to make tier-up decisions for Wasm code. Since it is written to directly from Wasm code, it must be accessible in sandboxed execution mode. As the array contains untrusted data (that can safely be corrupted by an attacker), this CL simply moves the array into the sandbox to make it accessible. For that purpose, this CL creates a basic in-sandbox memory allocator based on V8's array buffer allocator implementation. Since that allocator is quite unperformant, the change is currently still behind V8_ENABLE_SANDBOX_HARDWARE_SUPPORT, but we should make this change in all configurations once we have a better in-sandbox memory allocator. Bug: 350324877, 427410040, 427464384 Change-Id: I5860ebf621203ef662bd59b6fb11ecf1babcb650 Cq-Include-Trybots: luci.v8.try:v8_linux64_pku_dbg,v8_linux64_pku_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6668474 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#101151} | 11 个月前 | |
2026.03.30 arkweb_144代码蓝黄同步 Signed-off-by: jiujiaoxiaogula <sujiahao10@huawei.com> Change-Id: I00194d339064f999dedfc211cd5af5501cbed0fb | 3 个月前 | |
Reland: [sandbox] Add checks to places where we access TypedArrays - part 1 Because of potential ElementsKind switcheroo, we might be pointing outside the sandbox when doing the data + index * element size math, and the sandbox guard region is not big enough to save us. This is still incomplete - other places need similar checks. Bug: 435630461 Change-Id: If5ab3a11c5123718cae8c231dc2e9bce0da21855 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6943372 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Anton Bikineev <bikineev@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#102528} | 9 个月前 | |
[cleanup] Fix inl header includes We have many inl headers which either do not include their non-inl header, or are including other headers first. Both can lead to compile errors because definitions of inline functions might not be visible in inl headers. This CL adds a script to fix those includes, and runs it over the whole code base. R=leszeks@chromium.org Change-Id: I1b7b04c59e5a5b89308512bfc40729f7ec4afc38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6387805 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#99453} | 1 年前 | |
V8 Sandbox rebranding This CL renames a number of things related to the V8 sandbox. Mainly, what used to be under V8_HEAP_SANDBOX is now under V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage is now simply the V8 Sandbox: V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS V8VirtualMemoryCage => Sandbox CagedPointer => SandboxedPointer fake cage => partially reserved sandbox src/security => src/sandbox This naming scheme should simplify things: the sandbox is now the large region of virtual address space inside which V8 mainly operates and which should be considered untrusted. Mechanisms like sandboxed pointers are then used to attempt to prevent escapes from the sandbox (i.e. corruption of memory outside of it). Furthermore, the new naming scheme avoids the confusion with the various other "cages" in V8, in particular, the VirtualMemoryCage class, by dropping that name entirely. Future sandbox features are developed under their own V8_SANDBOX_X flag, and will, once final, be merged into V8_SANDBOX. Current future features are sandboxed external pointers (using the external pointer table), and sandboxed pointers (pointers guaranteed to point into the sandbox, e.g. because they are encoded as offsets). This CL then also introduces a new build flag, v8_enable_sandbox_future, which enables all future features. Bug: v8:10391 Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981 Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78384} | 4 年前 | |
[sandbox] Expand trusted object unpublishing mechanism This CL expands the "publishing" mechanism for trusted objects. Previously, we already had a special "unpublished" tag that could be used to make trusted objects inaccessible from within the sandbox. We now expand the machinery around this tag to allow objects to be allocated in an unpublished state and then be published later on. For that, we also fix a bug that previously allowed unpublished objects to still be accessed from inside the sandbox through the kUnknownIndirectPointerTag (used e.g. for the SFI). The new, more flexible unpublishing mechanism will be used in follow-up CLs to make bytecode inaccessible until it has been validated. Drive-By: rename init_self_indirect_pointer to InitAndPublish since this method does non-trivial work and so should probably be uppercased. Bug: 461681036 Change-Id: Iad0224beb89ef1bd625b5cdc51a77cef12642159 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7172412 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103956} | 7 个月前 | |
TicketNo:DTS2026040312077;DTS2026040207037;DTS2026040207036;DTS2026040135724;DTS2026040135722;DTS2026032818442;DTS2026032530470;DTS2026032530464;DTS2026031327981;DTS2026031222703;DTS2026031222694;DTS2026031222686;DTS2026031222671;DTS2026031222662;DTS2026031222654 Description:【CVE-2026-4450】【487746373】【490642836】【CVE-2026-4457】【488803413】[CVE-2026-4461][490558172][489159859][481749436][491191100][492077213][496629079][472181383][480442279][481295170][485784597][474402856][483220222] Team:v8 Feature or Bugfix:Bugfix Binary Source:No PrivateCode(Yes/No):No Change-Id: Iae84c8fcc36a25b1936ec0997008368f70096cd6 Reviewed-by: y00500721 Approved-by: w00518651 Merged-on: https://open.codehub.huawei.com/OpenSourceCenter_CR/openharmony-tpc/chromium_v8/-/change_requests/534 Merged-by: public pjenkins Signed-off-by: Marja Hölttä <marja@chromium.org> | 1 个月前 | |
[sandbox] Introduce AbortWithSandboxViolation Normally, for sandbox testing/fuzzing, we ignore Abort(), CHECK() etc. as these represent controlled (and therefore safe) crashes. However, there are cases where we can detect a compromised state, but only too late to reliably mitigate exploitation. For these cases, we now introduce a new AbortWithSandboxViolation function which can be used to crash but still report a sandbox violation during fuzzing. One specific use case is the interpreter executing an unknown bytecode. This typically means that we're executing arbitrary bytecode, and just happen to execute an invalid opcode. However, as the bytecode may be attacker-controlled, this is likely an exploitable condition. Prior to this change, our sandbox fuzzers would not treat this as a sandbox violation as we'd crash with a nullptr deref. With this CL, we now use AbortWithSandboxViolation to report this appropriately. Bug: 461681036 Change-Id: I7afee7bf7c762cae6ffd7b8515c693e8e1401466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7203123 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103959} | 7 个月前 | |
[sandbox] Expand trusted object unpublishing mechanism This CL expands the "publishing" mechanism for trusted objects. Previously, we already had a special "unpublished" tag that could be used to make trusted objects inaccessible from within the sandbox. We now expand the machinery around this tag to allow objects to be allocated in an unpublished state and then be published later on. For that, we also fix a bug that previously allowed unpublished objects to still be accessed from inside the sandbox through the kUnknownIndirectPointerTag (used e.g. for the SFI). The new, more flexible unpublishing mechanism will be used in follow-up CLs to make bytecode inaccessible until it has been validated. Drive-By: rename init_self_indirect_pointer to InitAndPublish since this method does non-trivial work and so should probably be uppercased. Bug: 461681036 Change-Id: Iad0224beb89ef1bd625b5cdc51a77cef12642159 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7172412 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103956} | 7 个月前 | |
[sandbox] Disable TrustedPointerPublishingScope for GC The GC can create new TPT entries. They must not get zapped, even if there's a TrustedPointerPublishingScope on the stack that will fail after whatever operation triggered the GC. Fixed: 395544408 Change-Id: Ia1788973c45e56e233c484abeb58aae27bfb1ad4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6253079 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#98737} | 1 年前 | |
[sandbox] Expand trusted object unpublishing mechanism This CL expands the "publishing" mechanism for trusted objects. Previously, we already had a special "unpublished" tag that could be used to make trusted objects inaccessible from within the sandbox. We now expand the machinery around this tag to allow objects to be allocated in an unpublished state and then be published later on. For that, we also fix a bug that previously allowed unpublished objects to still be accessed from inside the sandbox through the kUnknownIndirectPointerTag (used e.g. for the SFI). The new, more flexible unpublishing mechanism will be used in follow-up CLs to make bytecode inaccessible until it has been validated. Drive-By: rename init_self_indirect_pointer to InitAndPublish since this method does non-trivial work and so should probably be uppercased. Bug: 461681036 Change-Id: Iad0224beb89ef1bd625b5cdc51a77cef12642159 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7172412 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103956} | 7 个月前 | |
[sandbox] Only create the TPT when the sandbox is enabled Previously, we were allocating a trusted pointer table (TPT) when pointer compression was enabled but the sandbox disabled, even though it would never be used in that scenario. Now we only create a TPT when the sandbox is enabled. Bug: chromium:1473677 Change-Id: Iebf863421f042b2dd38c03260a596b971e1bf61b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5057561 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Auto-Submit: Samuel Groß <saelo@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#91199} | 2 年前 | |
[sandbox] Expand trusted object unpublishing mechanism This CL expands the "publishing" mechanism for trusted objects. Previously, we already had a special "unpublished" tag that could be used to make trusted objects inaccessible from within the sandbox. We now expand the machinery around this tag to allow objects to be allocated in an unpublished state and then be published later on. For that, we also fix a bug that previously allowed unpublished objects to still be accessed from inside the sandbox through the kUnknownIndirectPointerTag (used e.g. for the SFI). The new, more flexible unpublishing mechanism will be used in follow-up CLs to make bytecode inaccessible until it has been validated. Drive-By: rename init_self_indirect_pointer to InitAndPublish since this method does non-trivial work and so should probably be uppercased. Bug: 461681036 Change-Id: Iad0224beb89ef1bd625b5cdc51a77cef12642159 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7172412 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#103956} | 7 个月前 |
V8 Sandbox - Readme
A low-overhead, in-process sandbox for V8.
The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox"), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).
The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities. Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.
Usage
To enable the sandbox, simply use v8_enable_sandbox = true in the gn args.
The sandbox is only available in 64-bit configurations as it requires large
amounts of virtual address space. The sandbox is enabled by default on
supported configurations.
Testing
The sandbox is designed to be testable, both manually and automatically.
To use a "sandbox testing" configurations, two steps are required:
- V8 needs to be build with
v8_enable_memory_corruption_api = true. This will, when sandbox testing mode is enabled, expose a JavaScriptSandboxobject through which memory inside the sandbox can be arbitrarily modified. This API effectively emulates common exploit primitives that can be constructed from a typical V8 vulnerability. - The sandbox testing mode needs to be enabled at runtime via either
--sandbox-testingor--sandbox-fuzzing. This will expose the memory corruption API to JavaScript code and enable the sandbox crash filter, which will filter out uninteresting (for the sandbox) crashes such as access violations inside the sandbox or other unexploitable crashes. Note that the sandbox crash filter is currently only available on Linux.
The following example demonstrates these two parts:
// Create a DataView that can read and write inside the sandbox.
let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));
// Create an object to corrupt and obtain its address inside the sandbox.
let corruptMe = {};
let addr = Sandbox.getAddressOf(corruptMe);
// Corrupt the object.
memory.setUint32(addr, 0x41414141, true);
memory.setUint32(addr + 4, 0x41414141, true);
memory.setUint32(addr + 8, 0x41414141, true);
// Trigger a crash. The sandbox crash filter will catch it and determine that
// this is _not_ a sandbox violation as it crashes inside the sandbox.
corruptMe.crash();
// The process will now terminate cleanly with a message such as:
// "Caught harmless memory access violation (inside sandbox address space). Exiting process..."
The --sandbox-testing and --sandbox-fuzzing flags are mostly identical. However, with --sandbox-testing, the process will terminate with exit status zero when detecting a harmless crash. As such, tests will be treated as passing if they crash safely such as for example through a CHECK failure. With --sandbox-fuzzing on the other hand, the process instead exits with a non-zero status so that fuzzers can determine that the execution terminated prematurely. Furthermore, the --sandbox-fuzzing requires the memory corruption API to be compiled in while --sandbox-testing can be enabled on any (sandbox-enabled) build. As such, --sandbox-fuzzing should generally be used for fuzzers while --sandbox-testing should be used for most other purposes.
Note that both --sandbox-testing and --sandbox-fuzzing will also report reads outside the sandbox as "sandbox violations". This is not technically true as the sandbox only attempts to prevent writes. However it is both difficult and undesirable to filter out reads, for example because in some cases, the underlying issue may also allow an attacker to perform a write instead.
Resources
The following list contains further resources about the sandbox, in particular various design documents related to it.
- Sandbox Blog Post: Discusses the motivation behind the sandbox and its goals while also briefly covering the high-level design, performance characteristics, and testability aspects of the sandbox.
- High-Level Design Document: Discusses the attacker model, goal, and basic design of the sandbox, while linking to the more specific design documents below where appropriate.
- Sandbox Address Space: Contains additional details about the address space reservation backing the sandbox and how it is allocated.
- Sandboxed Pointers: Discusses the design of sandboxed pointers, which are pointers that are always guaranteed to point into the sandbox and are for example used to reference ArrayBuffer backing stores.
- External Pointer Table: The external pointer table is used to securely reference non-V8 ("external") objects, for example objects owned by the Embedder, from inside the sandbox. This document discusses its design in more detail.
- Code Pointer Sandboxing: Similar to external objects, pointers to executable machine code also needs to be protected. This is done with the help of a dedicated code pointer table, which is discussed in this document.
- Trusted Space: Certain V8 objects are considered trusted and must not be corrupted by an attacker. Examples of such objects include bytecode containers and metadata for JIT-generated code. These objects are protected by allocating them outside of the sandbox in the trusted heap space, then referencing them through another pointer table indirection to ensure memory safe access. This document discusses both of these mechanisms.
- Hardware Support: Instead of the purely software-based sandbox described by the preceeding documents, the sandbox could also be implemented (or augmented) with special hardware support. This document discusses various options for how that may work in practice, what the implications would be, and which requirements the hardware would have to fulfill.