[sandbox] Sandboxify WasmInstanceObject::memory_start

This field points to the start of the WASM memory buffer for the instance, which is an ArrayBuffer and so guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1218005 Change-Id: I847aebf5c29fcf1ab1163809350204db5b685a10 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359630Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78805}

[sandbox] Sandboxify WasmInstanceObject::memory_start
This field points to the start of the WASM memory buffer for the instance, which is an ArrayBuffer and so guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1218005 Change-Id: I847aebf5c29fcf1ab1163809350204db5b685a10 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359630Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78805}
09784fa1 · Samuel Groß · V8 LUCI CQ · 7437c690 · 09784fa1 · 09784fa1
Commit 09784fa1 authored Dec 29, 2021 by Samuel Groß Committed by V8 LUCI CQ Jan 27, 2022
7 changed files
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -3480,8 +3480,13 @@ void WasmGraphBuilder::InitInstanceCache(
    WasmInstanceCacheNodes* instance_cache) {

  // Load the memory start.
+#ifdef V8_SANDBOXED_POINTERS
+  instance_cache->mem_start =
+      LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::SandboxedPointer());
+#else
  instance_cache->mem_start =
      LOAD_MUTABLE_INSTANCE_FIELD(MemoryStart, MachineType::UintPtr());
+#endif

  // Load the memory size.
  instance_cache->mem_size =

--- a/src/objects/object-macros.h
+++ b/src/objects/object-macros.h
@@ -57,6 +57,10 @@

 #define DECL_INT32_ACCESSORS(name) DECL_PRIMITIVE_ACCESSORS(name, int32_t)

+#define DECL_SANDBOXED_POINTER_ACCESSORS(name, type) \
+  DECL_PRIMITIVE_GETTER(name, type)                  \
+  DECL_PRIMITIVE_SETTER(name, type)
+
 #define DECL_RELAXED_INT32_ACCESSORS(name)   \
  inline int32_t name(RelaxedLoadTag) const; \
  inline void set_##name(int32_t value, RelaxedStoreTag);

--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -840,6 +840,9 @@ void LiftoffAssembler::MergeStackWith(CacheState& target, uint32_t arity,
        target.cached_mem_start, instance,
        ObjectAccess::ToTagged(WasmInstanceObject::kMemoryStartOffset),
        sizeof(size_t));
+#ifdef V8_SANDBOXED_POINTERS
+    DecodeSandboxedPointer(target.cached_mem_start);
+#endif
  }
 }


--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -2967,6 +2967,9 @@ class LiftoffCompiler {
      memory_start = __ GetUnusedRegister(kGpReg, pinned).gp();
      LOAD_INSTANCE_FIELD(memory_start, MemoryStart, kSystemPointerSize,
                          pinned);
+#ifdef V8_SANDBOXED_POINTERS
+      __ DecodeSandboxedPointer(memory_start);
+#endif
      __ cache_state()->SetMemStartCacheRegister(memory_start);
    }
    return memory_start;
@@ -4545,6 +4548,9 @@ class LiftoffCompiler {
    uintptr_t offset = imm.offset;
    Register addr = pinned.set(__ GetUnusedRegister(kGpReg, pinned)).gp();
    LOAD_INSTANCE_FIELD(addr, MemoryStart, kSystemPointerSize, pinned);
+#ifdef V8_SANDBOXED_POINTERS
+    __ DecodeSandboxedPointer(addr);
+#endif
    __ emit_i32_add(addr, addr, index);
    pinned.clear(LiftoffRegister(index));
    LiftoffRegister new_value = pinned.set(__ PopToRegister(pinned));

--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@@ -92,6 +92,18 @@ CAST_ACCESSOR(WasmInstanceObject)
    }                                                                         \
  }

+#define SANDBOXED_POINTER_ACCESSORS(holder, name, type, offset)      \
+  type holder::name() const {                                        \
+    PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this);      \
+    Address value = ReadSandboxedPointerField(offset, sandbox_base); \
+    return reinterpret_cast<type>(value);                            \
+  }                                                                  \
+  void holder::set_##name(type value) {                              \
+    PtrComprCageBase sandbox_base = GetPtrComprCageBase(*this);      \
+    Address addr = reinterpret_cast<Address>(value);                 \
+    WriteSandboxedPointerField(offset, sandbox_base, addr);          \
+  }
+
 // WasmModuleObject
 wasm::NativeModule* WasmModuleObject::native_module() const {
  return managed_native_module().raw();
@@ -188,7 +200,8 @@ bool WasmGlobalObject::SetFuncRef(Isolate* isolate, Handle<Object> value) {
 }

 // WasmInstanceObject
-PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_start, byte*, kMemoryStartOffset)
+SANDBOXED_POINTER_ACCESSORS(WasmInstanceObject, memory_start, byte*,
+                            kMemoryStartOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, memory_size, size_t, kMemorySizeOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, isolate_root, Address,
                    kIsolateRootOffset)

--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@@ -1177,7 +1177,7 @@ Handle<WasmInstanceObject> WasmInstanceObject::New(
      isolate->factory()->NewFixedArray(num_imported_functions);
  instance->set_imported_function_refs(*imported_function_refs);

-  instance->SetRawMemory(nullptr, 0);
+  instance->SetRawMemory(reinterpret_cast<byte*>(EmptyBackingStoreBuffer()), 0);
  instance->set_isolate_root(isolate->isolate_root());
  instance->set_stack_limit_address(
      isolate->stack_guard()->address_of_jslimit());

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -335,7 +335,7 @@ class V8_EXPORT_PRIVATE WasmInstanceObject : public JSObject {
  DECL_OPTIONAL_ACCESSORS(wasm_internal_functions, FixedArray)
  DECL_ACCESSORS(managed_object_maps, FixedArray)
  DECL_ACCESSORS(feedback_vectors, FixedArray)
-  DECL_PRIMITIVE_ACCESSORS(memory_start, byte*)
+  DECL_SANDBOXED_POINTER_ACCESSORS(memory_start, byte*)
  DECL_PRIMITIVE_ACCESSORS(memory_size, size_t)
  DECL_PRIMITIVE_ACCESSORS(isolate_root, Address)
  DECL_PRIMITIVE_ACCESSORS(stack_limit_address, Address)