RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-14 08:24:58 +00:00
Code Issues Activity Actions

LibJS: Never give back virtual memory once it belongs to a cell type

Browse source 
Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274
This commit is contained in:
Andreas Kling 2023-12-31 11:36:18 +01:00
parent bcb1e548f1
commit b6d4eea7ac
10 changed files with 47 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Utilities/js.cpp
View file

@ -531,7 +531,7 @@ private:
ErrorOr<int> serenity_main(Main::Arguments arguments)
{
TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction"));
TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction map_fixed"));
bool gc_on_every_allocation = false;
bool disable_syntax_highlight = false;