[sandbox] Sandboxify WasmInstanceObject::globals_start

This field points to the start of an ArrayBuffer backing store, which is guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1342548 Change-Id: I5a76e23cfc83b2a04cd461def1cd04337ccf5cf7 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749190Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#81579}

[sandbox] Sandboxify WasmInstanceObject::globals_start
This field points to the start of an ArrayBuffer backing store, which is guaranteed to be located inside the sandbox if it is enabled. As such, this simply turns the field into a sandboxed pointer field. Bug: chromium:1342548 Change-Id: I5a76e23cfc83b2a04cd461def1cd04337ccf5cf7 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749190Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#81579}
818a36bb · Samuel Groß · V8 LUCI CQ · 6ec76365 · 818a36bb · 818a36bb
Commit 818a36bb authored Jul 07, 2022 by Samuel Groß Committed by V8 LUCI CQ Jul 07, 2022
7 changed files
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -3284,7 +3284,11 @@ void WasmGraphBuilder::GetGlobalBaseAndOffset(const wasm::WasmGlobal& global,
    *offset = gasm_->IntPtrConstant(
        wasm::ObjectAccess::ElementOffsetInTaggedFixedArray(global.offset));
  } else {
+#ifdef V8_SANDBOXED_POINTERS
+    *base = LOAD_INSTANCE_FIELD(GlobalsStart, MachineType::SandboxedPointer());
+#else
    *base = LOAD_INSTANCE_FIELD(GlobalsStart, MachineType::UintPtr());
+#endif
    *offset = gasm_->IntPtrConstant(global.offset);
  }
 }

--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -2393,6 +2393,9 @@ class LiftoffCompiler {
      *offset = 0;
    } else {
      LOAD_INSTANCE_FIELD(addr, GlobalsStart, kSystemPointerSize, *pinned);
+#ifdef V8_SANDBOXED_POINTERS
+      __ DecodeSandboxedPointer(addr);
+#endif
      *offset = global->offset;
    }
    return addr;

--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@@ -207,8 +207,8 @@ PRIMITIVE_ACCESSORS(WasmInstanceObject, old_allocation_top_address, Address*,
                    kOldAllocationTopAddressOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, imported_function_targets, Address*,
                    kImportedFunctionTargetsOffset)
-PRIMITIVE_ACCESSORS(WasmInstanceObject, globals_start, byte*,
+SANDBOXED_POINTER_ACCESSORS(WasmInstanceObject, globals_start, byte*,
-                    kGlobalsStartOffset)
+                            kGlobalsStartOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, imported_mutable_globals, Address*,
                    kImportedMutableGlobalsOffset)
 PRIMITIVE_ACCESSORS(WasmInstanceObject, indirect_function_table_size, uint32_t,

--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@@ -1202,7 +1202,8 @@ Handle<WasmInstanceObject> WasmInstanceObject::New(
      isolate->heap()->OldSpaceAllocationLimitAddress());
  instance->set_old_allocation_top_address(
      isolate->heap()->OldSpaceAllocationTopAddress());
-  instance->set_globals_start(nullptr);
+  instance->set_globals_start(
+      reinterpret_cast<byte*>(EmptyBackingStoreBuffer()));
  instance->set_indirect_function_table_size(0);
  instance->set_indirect_function_table_refs(
      ReadOnlyRoots(isolate).empty_fixed_array());

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -344,7 +344,7 @@ class V8_EXPORT_PRIVATE WasmInstanceObject : public JSObject {
  DECL_PRIMITIVE_ACCESSORS(old_allocation_limit_address, Address*)
  DECL_PRIMITIVE_ACCESSORS(old_allocation_top_address, Address*)
  DECL_PRIMITIVE_ACCESSORS(imported_function_targets, Address*)
-  DECL_PRIMITIVE_ACCESSORS(globals_start, byte*)
+  DECL_SANDBOXED_POINTER_ACCESSORS(globals_start, byte*)
  DECL_PRIMITIVE_ACCESSORS(imported_mutable_globals, Address*)
  DECL_PRIMITIVE_ACCESSORS(indirect_function_table_size, uint32_t)
  DECL_PRIMITIVE_ACCESSORS(indirect_function_table_sig_ids, uint32_t*)

--- a/test/cctest/wasm/wasm-run-utils.cc
+++ b/test/cctest/wasm/wasm-run-utils.cc
@@ -54,7 +54,10 @@ TestingModuleBuilder::TestingModuleBuilder(
  WasmJs::Install(isolate_, true);
  test_module_->is_memory64 = mem_type == kMemory64;
  test_module_->untagged_globals_buffer_size = kMaxGlobalsSize;
-  memset(globals_data_, 0, sizeof(globals_data_));
+  // The GlobalsData must be located inside the sandbox, so allocate it from the
+  // ArrayBuffer allocator.
+  globals_data_ = reinterpret_cast<byte*>(
+      CcTest::array_buffer_allocator()->Allocate(kMaxGlobalsSize));
  uint32_t maybe_import_index = 0;
  if (maybe_import) {
@@ -105,6 +108,7 @@ TestingModuleBuilder::~TestingModuleBuilder() {
  // When the native module dies and is erased from the cache, it is expected to
  // have either valid bytes or no bytes at all.
  native_module_->SetWireBytes({});
+  CcTest::array_buffer_allocator()->Free(globals_data_, kMaxGlobalsSize);
 }
 byte* TestingModuleBuilder::AddMemory(uint32_t size, SharedFlag shared) {

--- a/test/cctest/wasm/wasm-run-utils.h
+++ b/test/cctest/wasm/wasm-run-utils.h
@@ -289,7 +289,7 @@ class TestingModuleBuilder {
  uint32_t global_offset = 0;
  byte* mem_start_ = nullptr;
  uint32_t mem_size_ = 0;
-  alignas(16) byte globals_data_[kMaxGlobalsSize];
+  byte* globals_data_ = nullptr;
  std::unique_ptr<WasmInterpreter> interpreter_;
  TestExecutionTier execution_tier_;
  Handle<WasmInstanceObject> instance_object_;