diff options
| author | Michael Brüning <michael.bruning@qt.io> | 2018-08-15 18:19:50 +0200 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2018-08-16 06:15:36 +0000 |
| commit | a6e2cadce84f19bb1cf56ad98cc0dea223055963 (patch) | |
| tree | 19a2fc7921d0987bd1de101346f25f27786fbb08 | |
| parent | 3e6d0c72f3e4801a736e0ed6d3eef383e4958987 (diff) | |
[Backport] Security fix for Chromium bug 860721
Don't throw away bits when computing Blink heap magic.
Bug: 860721
Reviewed-on: https://chromium-review.googlesource.com/1132082
Change-Id: I69e6947e3706d17c282933385a09447996d5bd89
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/WebKit/Source/platform/heap/HeapPage.h | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h b/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h index 5e230030736..20674563eba 100644 --- a/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h +++ b/chromium/third_party/WebKit/Source/platform/heap/HeapPage.h @@ -1021,35 +1021,40 @@ inline uint32_t GetRandomMagic() { #pragma warning(disable : 4319) #endif - static const uintptr_t random1 = ~(RotateLeft16(reinterpret_cast<uintptr_t>( + // Get an ASLR'd address from one of our own DLLs/.sos, and then another from + // a system DLL/.so: + + const uint32_t random1 = ~(RotateLeft16(reinterpret_cast<uintptr_t>( base::trace_event::MemoryAllocatorDump::kNameSize))); #if defined(OS_WIN) - static const uintptr_t random2 = - ~(RotateLeft16(reinterpret_cast<uintptr_t>(::ReadFile))); -#elif defined(OS_POSIX) - static const uintptr_t random2 = - ~(RotateLeft16(reinterpret_cast<uintptr_t>(::read))); + uintptr_t random2 = reinterpret_cast<uintptr_t>(::ReadFile); +#elif defined(OS_POSIX) || defined(OS_FUCHSIA) + uintptr_t random2 = reinterpret_cast<uintptr_t>(::read); #else -#error OS not supported +#error platform not supported #endif #if defined(ARCH_CPU_64_BITS) static_assert(sizeof(uintptr_t) == sizeof(uint64_t), "uintptr_t is not uint64_t"); - static const uint32_t random = static_cast<uint32_t>( - (random1 & 0x0FFFFULL) | ((random2 >> 32) & 0x0FFFF0000ULL)); + // Shift in some high-order bits. + random2 = random2 >> 16; #elif defined(ARCH_CPU_32_BITS) // Although we don't use heap metadata canaries on 32-bit due to memory // pressure, keep this code around just in case we do, someday. static_assert(sizeof(uintptr_t) == sizeof(uint32_t), "uintptr_t is not uint32_t"); - static const uint32_t random = - (random1 & 0x0FFFFUL) | (random2 & 0xFFFF0000UL); #else #error architecture not supported #endif + random2 = ~(RotateLeft16(random2)); + + // Combine the 2 values: + const uint32_t random = (random1 & 0x0000FFFFUL) | + (static_cast<uint32_t>(random2) & 0xFFFF0000UL); + #if defined(COMPILER_MSVC) #pragma warning(pop) #endif |