• Samuel Groß's avatar
    [sandbox] Add new Memory Corruption API · 4a12cb10
    Samuel Groß authored
    When enabled, this API exposes a new global 'Sandbox' object which
    contains a number of functions and objects that in effect emulate
    typical memory corruption primitives constructed by exploits. In
    particular, the 'MemoryView' constructor can construct ArrayBuffers
    instances that can corrupt arbitrary memory inside the sandbox. Further,
    the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
    respectively to obtain the address (relative to the base of the sandbox)
    and size of any HeapObject that can be accessed from JavaScript.
    
    This API is useful for testing the sandbox, for example to
    facilitate developing PoC sandbox escapes or writing regression tests.
    In the future, it may also be used by custom V8 sandbox fuzzers.
    
    Bug: v8:12878
    Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
    Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
    Commit-Queue: Samuel Groß <saelo@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#80659}
    4a12cb10
sandbox.h 9.82 KB