Google Git
Sign in
chromium/v8/v8/b2a94c9023da70c99223640bf99c203425b42dda
commit
b2a94c9023da70c99223640bf99c203425b42dda
[log]
author
Samuel Groß <saelo@chromium.org>
Fri Apr 14 08:52:58 2023
committer
V8 LUCI CQ <v8-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fri Apr 14 09:30:15 2023
tree
9dba21806f366296c20e93587657b7ad5c471133
parent
ed43dcc0855502eb16ba391c924458f5fe1e8fc2 [diff]
[sandbox] Sandboxify WasmIndirectFunctionTable

The WasmIndirectFunctionTable object used to contain a number of raw
pointers to buffers allocated via malloc: the sig_ids and targets
fields. As these were raw pointers, they could be abused by an attacker
to access memory outside of the sandbox, and thereby break out of it.

This CL now simply turns these two buffers into on-heap ByteArrays.

In the future, we'll also need to prevent an attacker from manipulating
the contents of these arrays (at least of the targets array, which
contains function entrypoints), but we'll need additional sandbox
infrastructure before we can do so.

Bug: v8:10391, chromium:1432210
Change-Id: Ide63b241761d97fc110bc7369032e30bc946f295
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4418966
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#87084}
10 files changed
tree: 9dba21806f366296c20e93587657b7ad5c471133
  1. .github/
  2. bazel/
  3. build_overrides/
  4. custom_deps/
  5. docs/
  6. gni/
  7. include/
  8. infra/
  9. samples/
  10. src/
  11. test/
  12. testing/
  13. third_party/
  14. tools/
  15. .bazelrc
  16. .clang-format
  17. .clang-tidy
  18. .editorconfig
  19. .flake8
  20. .git-blame-ignore-revs
  21. .gitattributes
  22. .gitignore
  23. .gn
  24. .mailmap
  25. .style.yapf
  26. .vpython3
  27. .ycm_extra_conf.py
  28. AUTHORS
  29. BUILD.bazel
  30. BUILD.gn
  31. CODE_OF_CONDUCT.md
  32. codereview.settings
  33. COMMON_OWNERS
  34. DEPS
  35. DIR_METADATA
  36. ENG_REVIEW_OWNERS
  37. INFRA_OWNERS
  38. INTL_OWNERS
  39. LICENSE
  40. LICENSE.fdlibm
  41. LICENSE.strongtalk
  42. LICENSE.v8
  43. LOONG_OWNERS
  44. MIPS_OWNERS
  45. OWNERS
  46. PPC_OWNERS
  47. PRESUBMIT.py
  48. README.md
  49. RISCV_OWNERS
  50. S390_OWNERS
  51. WATCHLISTS
  52. WORKSPACE
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://v8.dev/docs

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned at v8.dev/docs/contribute.