[webkit-changes] [WebKit/WebKit] 0db3ed: [Wasm] WasmToJSCallee should hold the boxed as a m...

Keith Miller noreply at github.com
Wed Jan 8 15:28:43 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0db3edf9d8018f0a58765d9e27c625739102f04d
      https://github.com/WebKit/WebKit/commit/0db3edf9d8018f0a58765d9e27c625739102f04d
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2025-01-08 (Wed, 08 Jan 2025)

  Changed paths:
    A JSTests/wasm/stress/table-set-to-js-then-grow.js
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmTable.cpp
    M Source/JavaScriptCore/wasm/WasmTable.h

  Log Message:
  -----------
  [Wasm] WasmToJSCallee should hold the boxed as a member for Function Tables
https://bugs.webkit.org/show_bug.cgi?id=285626
rdar://142475225

Reviewed by Yusuke Suzuki and Justin Michaud.

Right now we're using the table's backing store as the boxed callee load location. Tables can grow though
so that address could get realloced and thus be stale leading to a UAF. This patch puts the boxed load
location into the WasmToJSCallee instead. This doesn't increase the effective size of WasmToJSCalle as it's
40 bytes today so there's an extra 8 bytes from our malloc's atom size.

* JSTests/wasm/stress/table-set-to-js-then-grow.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.type.ri.func.result.i32.import.string_appeared_here.string_appeared_here.func.foo.result.i32.export.string_appeared_here.func.foo.table.table.0.funcref.func.export.string_appeared_here.param.funcref.result.i32.table.grow.table.ref.null.func.i32.const.1.drop.table.table.i32.const.0.local.0.table.grow.table.ref.null.func.i32.const.10.drop.call_indirect.table.type.ri.i32.const.0.foo):
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::WasmToJSCallee::WasmToJSCallee):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmTable.cpp:
(JSC::Wasm::FuncRefTable::setFunction):
* Source/JavaScriptCore/wasm/WasmTable.h:

Canonical link: https://commits.webkit.org/288618@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list