New issue
Advanced search Search tips

Issue 862935 link

Starred by 2 users
Status: Assigned
Owner:
ahaas@chromium.org
Cc:
mseaborn@chromium.org
titzer@chromium.org
mark@chromium.org
clemensh@chromium.org
adamk@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Feature

Blocking:
issue 862929



Sign in to add a comment

Harden wasm trap handler to only catch addresses within wasm memory gigacage

Project Member Reported by clemensh@chromium.org, Jul 12 
The wasm trap handler currently catches every segfault that happens on a wasm memory access.
We should harden this to only catch accesses that are within 8GB of a wasm memory start address. This requires the trap handler to know the start addresses of all wasm memories in the system.

+mseaborn and mark who are mentioned as trap-handler owners in v8/src/trap-handler/OWNERS.

Comment 1 by ahaas@chromium.org, Jul 12 

Some background: Due to code generation bugs it can happen that offsets greater than 2^32 are used to access WebAssembly memories. In these cases, memory outside the 8GB of reserved memory can be accessed. If this happens, it would be better to crash instead of handling an out-of-bounds error.

Comment 2 by clemensh@chromium.org, Jul 19

Components: Blink>JavaScript>WebAssembly

Comment 3 by mseaborn@chromium.org, Aug 22 

I noticed this issue has the label "Restrict-View-SecurityTeam".  Since this issue describes an improvement rather than a bug/vulnerability, I don't think it should have that label.  Do you mind if I remove it?

Comment 4 by ahaas@chromium.org, Aug 23

Cc: -ahaas@chromium.org
Owner: ahaas@chromium.org
Status: Assigned (was: Available)
You can remove it.

Comment 5 by mseaborn@chromium.org, Aug 23

Labels: -Restrict-View-SecurityTeam

Sign in to add a comment