// Copyright 2022 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "src/sandbox/testing.h" #include "src/api/api-inl.h" #include "src/api/api-natives.h" #include "src/common/globals.h" #include "src/execution/isolate-inl.h" #include "src/heap/factory.h" #include "src/objects/backing-store.h" #include "src/objects/js-objects.h" #include "src/objects/templates.h" #include "src/sandbox/sandbox.h" #ifdef V8_OS_LINUX #include <signal.h> #include <sys/mman.h> #include <unistd.h> #endif // V8_OS_LINUX #ifdef V8_USE_ADDRESS_SANITIZER #include <sanitizer/asan_interface.h> #endif // V8_USE_ADDRESS_SANITIZER namespace v8 { namespace internal { #ifdef V8_ENABLE_SANDBOX SandboxTesting::Mode SandboxTesting::mode_ = …; Address SandboxTesting::target_page_base_ = …; Address SandboxTesting::target_page_size_ = …; #ifdef V8_ENABLE_MEMORY_CORRUPTION_API namespace { // Sandbox.base void SandboxGetBase(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); double sandbox_base = GetProcessWideSandbox()->base(); info.GetReturnValue().Set(v8::Number::New(isolate, sandbox_base)); } // Sandbox.byteLength void SandboxGetByteLength(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); double sandbox_size = GetProcessWideSandbox()->size(); info.GetReturnValue().Set(v8::Number::New(isolate, sandbox_size)); } // new Sandbox.MemoryView(info) -> Sandbox.MemoryView void SandboxMemoryView(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Local<v8::Context> context = isolate->GetCurrentContext(); if (!info.IsConstructCall()) { isolate->ThrowError("Sandbox.MemoryView must be invoked with 'new'"); return; } Local<v8::Integer> arg1, arg2; if (!info[0]->ToInteger(context).ToLocal(&arg1) || !info[1]->ToInteger(context).ToLocal(&arg2)) { isolate->ThrowError("Expects two number arguments (start offset and size)"); return; } Sandbox* sandbox = GetProcessWideSandbox(); CHECK_LE(sandbox->size(), kMaxSafeIntegerUint64); uint64_t offset = arg1->Value(); uint64_t size = arg2->Value(); if (offset > sandbox->size() || size > sandbox->size() || (offset + size) > sandbox->size()) { isolate->ThrowError( "The MemoryView must be entirely contained within the sandbox"); return; } Factory* factory = reinterpret_cast<Isolate*>(isolate)->factory(); std::unique_ptr<BackingStore> memory = BackingStore::WrapAllocation( reinterpret_cast<void*>(sandbox->base() + offset), size, v8::BackingStore::EmptyDeleter, nullptr, SharedFlag::kNotShared); if (!memory) { isolate->ThrowError("Out of memory: MemoryView backing store"); return; } Handle<JSArrayBuffer> buffer = factory->NewJSArrayBuffer(std::move(memory)); info.GetReturnValue().Set(Utils::ToLocal(buffer)); } // The methods below either take a HeapObject or the address of a HeapObject as // argument. These helper functions can be used to extract the argument object // in both cases. using ArgumentObjectExtractorFunction = std::function<bool( const v8::FunctionCallbackInfo<v8::Value>&, Tagged<HeapObject>* out)>; static bool GetArgumentObjectPassedAsReference( const v8::FunctionCallbackInfo<v8::Value>& info, Tagged<HeapObject>* out) { v8::Isolate* isolate = info.GetIsolate(); if (info.Length() == 0) { isolate->ThrowError("First argument must be provided"); return false; } Handle<Object> arg = Utils::OpenHandle(*info[0]); if (!IsHeapObject(*arg)) { isolate->ThrowError("First argument must be a HeapObject"); return false; } *out = Cast<HeapObject>(*arg); return true; } static bool GetArgumentObjectPassedAsAddress( const v8::FunctionCallbackInfo<v8::Value>& info, Tagged<HeapObject>* out) { Sandbox* sandbox = GetProcessWideSandbox(); v8::Isolate* isolate = info.GetIsolate(); Local<v8::Context> context = isolate->GetCurrentContext(); if (info.Length() == 0) { isolate->ThrowError("First argument must be provided"); return false; } Local<v8::Uint32> arg1; if (!info[0]->ToUint32(context).ToLocal(&arg1)) { isolate->ThrowError("First argument must be the address of a HeapObject"); return false; } uint32_t address = arg1->Value(); // Allow tagged addresses by removing the kHeapObjectTag and // kWeakHeapObjectTag. This allows clients to just read tagged pointers from // the heap and use them for these APIs. address &= ~kHeapObjectTagMask; *out = HeapObject::FromAddress(sandbox->base() + address); return true; } // Sandbox.getAddressOf(Object) -> Number void SandboxGetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Tagged<HeapObject> obj; if (!GetArgumentObjectPassedAsReference(info, &obj)) { return; } // HeapObjects must be allocated inside the pointer compression cage so their // address relative to the start of the sandbox can be obtained simply by // taking the lowest 32 bits of the absolute address. uint32_t address = static_cast<uint32_t>(obj->address()); info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address)); } // Sandbox.getObjectAt(Number) -> Object void SandboxGetObjectAt(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Tagged<HeapObject> obj; if (!GetArgumentObjectPassedAsAddress(info, &obj)) { return; } Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate); Handle<Object> handle(obj, i_isolate); info.GetReturnValue().Set(ToApiHandle<v8::Value>(handle)); } // Sandbox.isValidObjectAt(Address) -> Bool void SandboxIsValidObjectAt(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Tagged<HeapObject> obj; if (!GetArgumentObjectPassedAsAddress(info, &obj)) { return; } Heap* heap = reinterpret_cast<Isolate*>(isolate)->heap(); auto IsLocatedInMappedMemory = [&](Tagged<HeapObject> obj) { // Note that IsOutsideAllocatedSpace is imprecise and may return false for // some addresses outside the allocated space. However, it's probably good // enough for our purposes. return !heap->memory_allocator()->IsOutsideAllocatedSpace(obj.address()); }; bool is_valid = false; if (IsLocatedInMappedMemory(obj)) { Tagged<Map> map = obj->map(); if (IsLocatedInMappedMemory(map)) { is_valid = IsMap(map); } } info.GetReturnValue().Set(is_valid); } static void SandboxIsWritableImpl( const v8::FunctionCallbackInfo<v8::Value>& info, ArgumentObjectExtractorFunction getArgumentObject) { DCHECK(ValidateCallbackInfo(info)); Tagged<HeapObject> obj; if (!getArgumentObject(info, &obj)) { return; } MemoryChunkMetadata* chunk = MemoryChunkMetadata::FromHeapObject(obj); bool is_writable = chunk->IsWritable(); info.GetReturnValue().Set(is_writable); } // Sandbox.isWritable(Object) -> Bool void SandboxIsWritable(const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxIsWritableImpl(info, &GetArgumentObjectPassedAsReference); } // Sandbox.isWritableObjectAt(Number) -> Bool void SandboxIsWritableObjectAt( const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxIsWritableImpl(info, &GetArgumentObjectPassedAsAddress); } static void SandboxGetSizeOfImpl( const v8::FunctionCallbackInfo<v8::Value>& info, ArgumentObjectExtractorFunction getArgumentObject) { DCHECK(ValidateCallbackInfo(info)); Tagged<HeapObject> obj; if (!getArgumentObject(info, &obj)) { return; } int size = obj->Size(); info.GetReturnValue().Set(size); } // Sandbox.getSizeOf(Object) -> Number void SandboxGetSizeOf(const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetSizeOfImpl(info, &GetArgumentObjectPassedAsReference); } // Sandbox.getSizeOfObjectAt(Number) -> Number void SandboxGetSizeOfObjectAt(const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetSizeOfImpl(info, &GetArgumentObjectPassedAsAddress); } static void SandboxGetInstanceTypeOfImpl( const v8::FunctionCallbackInfo<v8::Value>& info, ArgumentObjectExtractorFunction getArgumentObject) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Tagged<HeapObject> obj; if (!getArgumentObject(info, &obj)) { return; } InstanceType type = obj->map()->instance_type(); std::stringstream out; out << type; MaybeLocal<v8::String> result = v8::String::NewFromUtf8(isolate, out.str().c_str()); info.GetReturnValue().Set(result.ToLocalChecked()); } // Sandbox.getInstanceTypeOf(Object) -> String void SandboxGetInstanceTypeOf(const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetInstanceTypeOfImpl(info, &GetArgumentObjectPassedAsReference); } // Sandbox.getInstanceTypeOfObjectAt(Number) -> String void SandboxGetInstanceTypeOfObjectAt( const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetInstanceTypeOfImpl(info, &GetArgumentObjectPassedAsAddress); } static void SandboxGetInstanceTypeIdOfImpl( const v8::FunctionCallbackInfo<v8::Value>& info, ArgumentObjectExtractorFunction getArgumentObject) { DCHECK(ValidateCallbackInfo(info)); Tagged<HeapObject> obj; if (!getArgumentObject(info, &obj)) { return; } InstanceType type = obj->map()->instance_type(); static_assert(std::is_same_v<std::underlying_type_t<InstanceType>, uint16_t>); if (type > LAST_TYPE) { // This can happen with corrupted objects. Canonicalize to a special // "unknown" instance type to indicate that this is an unknown type. const uint16_t kUnknownInstanceType = std::numeric_limits<uint16_t>::max(); type = static_cast<InstanceType>(kUnknownInstanceType); } info.GetReturnValue().Set(type); } // Sandbox.getInstanceTypeIdOf(Object) -> Number void SandboxGetInstanceTypeIdOf( const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetInstanceTypeIdOfImpl(info, &GetArgumentObjectPassedAsReference); } // Sandbox.getInstanceTypeIdOfObjectAt(Number) -> Number void SandboxGetInstanceTypeIdOfObjectAt( const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetInstanceTypeIdOfImpl(info, &GetArgumentObjectPassedAsAddress); } // Obtain the offset of a field in an object. // // This can be used to obtain the offsets of internal object fields in order to // avoid hardcoding offsets into testcases. It basically makes the various // Foo::kBarOffset constants accessible from JavaScript. The main benefit of // that is that testcases continue to work if the field offset changes. // Additionally, if a field is removed, testcases that use it will fail and can // then be deleted if they are no longer useful. void SandboxGetFieldOffsetImpl( const v8::FunctionCallbackInfo<v8::Value>& info, ArgumentObjectExtractorFunction getArgumentObject) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Tagged<HeapObject> obj; if (!getArgumentObject(info, &obj)) { return; } InstanceType instance_type = Cast<HeapObject>(*obj)->map()->instance_type(); v8::String::Utf8Value field_name(isolate, info[1]); if (!*field_name) { isolate->ThrowError("Second argument must be a string"); return; } auto& all_fields = SandboxTesting::GetFieldOffsetMap(); if (all_fields.find(instance_type) == all_fields.end()) { isolate->ThrowError( "Unknown object type. If needed, add it in " "SandboxTesting::GetFieldOffsetMap"); return; } auto& obj_fields = all_fields[instance_type]; if (obj_fields.find(*field_name) == obj_fields.end()) { isolate->ThrowError( "Unknown field. If needed, add it in " "SandboxTesting::GetFieldOffsetMap"); return; } int offset = obj_fields[*field_name]; info.GetReturnValue().Set(offset); } // Sandbox.getFieldOffsetOf(Object, String) -> Number void SandboxGetFieldOffsetOf(const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetFieldOffsetImpl(info, &GetArgumentObjectPassedAsReference); } // Sandbox.getFieldOffsetOfObjectAt(Number, String) -> Number void SandboxGetFieldOffsetOfObjectAt( const v8::FunctionCallbackInfo<v8::Value>& info) { SandboxGetFieldOffsetImpl(info, &GetArgumentObjectPassedAsAddress); } // Sandbox.targetPage void SandboxGetTargetPage(const v8::FunctionCallbackInfo<v8::Value>& info) { DCHECK(ValidateCallbackInfo(info)); v8::Isolate* isolate = info.GetIsolate(); Address page = SandboxTesting::target_page_base(); CHECK_NE(page, kNullAddress); info.GetReturnValue().Set(v8::Number::New(isolate, page)); } Handle<FunctionTemplateInfo> NewFunctionTemplate( Isolate* isolate, FunctionCallback func, ConstructorBehavior constructor_behavior) { // Use the API functions here as they are more convenient to use. v8::Isolate* api_isolate = reinterpret_cast<v8::Isolate*>(isolate); Local<FunctionTemplate> function_template = FunctionTemplate::New(api_isolate, func, {}, {}, 0, constructor_behavior, SideEffectType::kHasSideEffect); return v8::Utils::OpenHandle(*function_template); } Handle<JSFunction> CreateFunc(Isolate* isolate, FunctionCallback func, Handle<String> name, bool is_constructor) { ConstructorBehavior constructor_behavior = is_constructor ? ConstructorBehavior::kAllow : ConstructorBehavior::kThrow; Handle<FunctionTemplateInfo> function_template = NewFunctionTemplate(isolate, func, constructor_behavior); return ApiNatives::InstantiateFunction(isolate, function_template, name) .ToHandleChecked(); } void InstallFunc(Isolate* isolate, Handle<JSObject> holder, FunctionCallback func, const char* name, int num_parameters, bool is_constructor) { Factory* factory = isolate->factory(); Handle<String> function_name = factory->NewStringFromAsciiChecked(name); Handle<JSFunction> function = CreateFunc(isolate, func, function_name, is_constructor); function->shared()->set_length(num_parameters); JSObject::AddProperty(isolate, holder, function_name, function, NONE); } void InstallGetter(Isolate* isolate, Handle<JSObject> object, FunctionCallback func, const char* name) { Factory* factory = isolate->factory(); Handle<String> property_name = factory->NewStringFromAsciiChecked(name); Handle<JSFunction> getter = CreateFunc(isolate, func, property_name, false); Handle<Object> setter = factory->null_value(); JSObject::DefineOwnAccessorIgnoreAttributes(object, property_name, getter, setter, FROZEN); } void InstallFunction(Isolate* isolate, Handle<JSObject> holder, FunctionCallback func, const char* name, int num_parameters) { InstallFunc(isolate, holder, func, name, num_parameters, false); } void InstallConstructor(Isolate* isolate, Handle<JSObject> holder, FunctionCallback func, const char* name, int num_parameters) { InstallFunc(isolate, holder, func, name, num_parameters, true); } } // namespace void SandboxTesting::InstallMemoryCorruptionApiIfEnabled(Isolate* isolate) { #ifndef V8_ENABLE_MEMORY_CORRUPTION_API #error "This function should not be available in any shipping build " \ "where it could potentially be abused to facilitate exploitation." #endif if (!IsEnabled()) return; CHECK(GetProcessWideSandbox()->is_initialized()); // Create the special Sandbox object that provides read/write access to the // sandbox address space alongside other miscellaneous functionality. Handle<JSObject> sandbox = isolate->factory()->NewJSObject( isolate->object_function(), AllocationType::kOld); InstallGetter(isolate, sandbox, SandboxGetBase, "base"); InstallGetter(isolate, sandbox, SandboxGetByteLength, "byteLength"); InstallConstructor(isolate, sandbox, SandboxMemoryView, "MemoryView", 2); InstallFunction(isolate, sandbox, SandboxGetAddressOf, "getAddressOf", 1); InstallFunction(isolate, sandbox, SandboxGetObjectAt, "getObjectAt", 1); InstallFunction(isolate, sandbox, SandboxIsValidObjectAt, "isValidObjectAt", 1); InstallFunction(isolate, sandbox, SandboxIsWritable, "isWritable", 1); InstallFunction(isolate, sandbox, SandboxIsWritableObjectAt, "isWritableObjectAt", 1); InstallFunction(isolate, sandbox, SandboxGetSizeOf, "getSizeOf", 1); InstallFunction(isolate, sandbox, SandboxGetSizeOfObjectAt, "getSizeOfObjectAt", 1); InstallFunction(isolate, sandbox, SandboxGetInstanceTypeOf, "getInstanceTypeOf", 1); InstallFunction(isolate, sandbox, SandboxGetInstanceTypeOfObjectAt, "getInstanceTypeOfObjectAt", 1); InstallFunction(isolate, sandbox, SandboxGetInstanceTypeIdOf, "getInstanceTypeIdOf", 1); InstallFunction(isolate, sandbox, SandboxGetInstanceTypeIdOfObjectAt, "getInstanceTypeIdOfObjectAt", 1); InstallFunction(isolate, sandbox, SandboxGetFieldOffsetOf, "getFieldOffsetOf", 2); InstallFunction(isolate, sandbox, SandboxGetFieldOffsetOfObjectAt, "getFieldOffsetOfObjectAt", 2); if (mode() == Mode::kForTesting) { InstallGetter(isolate, sandbox, SandboxGetTargetPage, "targetPage"); } // Install the Sandbox object as property on the global object. Handle<JSGlobalObject> global = isolate->global_object(); Handle<String> name = isolate->factory()->NewStringFromAsciiChecked("Sandbox"); JSObject::AddProperty(isolate, global, name, sandbox, DONT_ENUM); } #endif // V8_ENABLE_MEMORY_CORRUPTION_API namespace { #ifdef V8_OS_LINUX void PrintToStderr(const char* output) { … } [[noreturn]] void FilterCrash(const char* reason) { … } // Signal handler checking whether a memory access violation happened inside or // outside of the sandbox address space. If inside, the signal is ignored and // the process terminated normally, in the latter case the original signal // handler is restored and the signal delivered again. struct sigaction g_old_sigabrt_handler, g_old_sigtrap_handler, g_old_sigbus_handler, g_old_sigsegv_handler; void UninstallCrashFilter() { … } void CrashFilter(int signal, siginfo_t* info, void* void_context) { … } #ifdef V8_USE_ADDRESS_SANITIZER void AsanFaultHandler() { Address faultaddr = reinterpret_cast<Address>(__asan_get_report_address()); if (faultaddr == kNullAddress) { FilterCrash( "Caught ASan fault without a fault address. Ignoring it as we cannot " "check if it is a sandbox violation. Exiting process...\n"); } if (GetProcessWideSandbox()->Contains(faultaddr)) { FilterCrash( "Caught harmless ASan fault (inside sandbox address space). Exiting " "process...\n"); } // Asan may report the failure via abort(), so we should also restore the // original signal handlers here. UninstallCrashFilter(); PrintToStderr("\n## V8 sandbox violation detected!\n\n"); } #endif // V8_USE_ADDRESS_SANITIZER void InstallCrashFilter() { … } #endif // V8_OS_LINUX } // namespace void SandboxTesting::Enable(Mode mode) { … } bool SandboxTesting::IsInsideTargetPage(Address faultaddr) { … } SandboxTesting::FieldOffsetMap& SandboxTesting::GetFieldOffsetMap() { … } #endif // V8_ENABLE_SANDBOX } // namespace internal } // namespace v8
Codebase Browser
chromium