1. 08 Jun, 2022 1 commit
    • Samuel Groß's avatar
      [sandbox] Implement sandbox crash filter · 059903de
      Samuel Groß authored
      If enabled, a signal handler is installed which intercepts memory access
      violations (e.g. SIGSEGV) and checks whether they occurred inside the
      sandbox address space, in which case the process is terminated cleanly
      as this does not represent a (security) issue with the sandbox. However,
      if the access violation occurred outside the sandbox, the access
      violation is forwarded to the original signal handler.
      
      The filter can be enabled in d8 by specifying
      --enable-sandbox-crash-filter.
      
      Bug: v8:12878
      Change-Id: If9d76267e90ee79ee81ab793d7774afed6226b7c
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688408Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#80999}
      059903de
  2. 20 May, 2022 1 commit
    • Samuel Groß's avatar
      [sandbox] Add new Memory Corruption API · 4a12cb10
      Samuel Groß authored
      When enabled, this API exposes a new global 'Sandbox' object which
      contains a number of functions and objects that in effect emulate
      typical memory corruption primitives constructed by exploits. In
      particular, the 'MemoryView' constructor can construct ArrayBuffers
      instances that can corrupt arbitrary memory inside the sandbox. Further,
      the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
      respectively to obtain the address (relative to the base of the sandbox)
      and size of any HeapObject that can be accessed from JavaScript.
      
      This API is useful for testing the sandbox, for example to
      facilitate developing PoC sandbox escapes or writing regression tests.
      In the future, it may also be used by custom V8 sandbox fuzzers.
      
      Bug: v8:12878
      Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#80659}
      4a12cb10