Skip to content
  • abarth@webkit.org's avatar
    [v8] Security feature: JavaScript Bindings hardening · 7929995e
    abarth@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=106608
    
    Source/WebCore: 
    
    The patch adds a check at wrapper creation time to enuse that the
    object being wrapped is not already free, to the extent that we know
    the information about the type of the object as provided in the IDL.
    
    Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
    Reviewed by Adam Barth.
    
    Patch is correct if existing tests pass without new crashes.
    
    * bindings/scripts/CodeGeneratorV8.pm:
    (GenerateImplementation):
    (GenerateToV8Converters):
    (GetNativeTypeForConversions):
    (GetGnuVTableRefForInterface):
    (GetGnuVTableNameForInterface):
    (GetGnuMangledNameForInterface):
    (GetGnuVTableOffsetForType):
    (GetWinVTableRefForInterface):
    (GetWinVTableNameForInterface):
    (GetWinMangledNameForInterface):
    (GetNamespaceForInterface):
    (GetImplementationLacksVTableForInterface):
    (GetV8SkipVTableValidationForInterface):
    Update code generation to add object validity tests under the control
    of the ENABLE_BINDING_INTEGRITY option.
            
    * Modules/filesystem/DirectoryReader.idl:
    * Modules/filesystem/DirectoryReaderSync.idl:
    * Modules/filesystem/EntryArray.idl:
    * Modules/filesystem/EntryArraySync.idl:
    * Modules/filesystem/Metadata.idl:
    * Modules/gamepad/Gamepad.idl:
    * Modules/gamepad/GamepadList.idl:
    * Modules/geolocation/Geoposition.idl:
    * Modules/geolocation/PositionError.idl:
    * Modules/indexeddb/IDBFactory.idl:
    * Modules/indexeddb/IDBIndex.idl:
    * Modules/indexeddb/IDBKeyRange.idl:
    * Modules/indexeddb/IDBObjectStore.idl:
    * Modules/mediastream/RTCStatsElement.idl:
    * Modules/mediastream/RTCStatsReport.idl:
    * Modules/quota/StorageInfo.idl:
    * Modules/speech/SpeechGrammar.idl:
    * Modules/speech/SpeechGrammarList.idl:
    * Modules/speech/SpeechRecognitionAlternative.idl:
    * Modules/speech/SpeechRecognitionResult.idl:
    * Modules/speech/SpeechRecognitionResultList.idl:
    * Modules/webaudio/AudioBuffer.idl:
    * Modules/webaudio/AudioDestinationNode.idl:
    * Modules/webaudio/AudioListener.idl:
    * Modules/webaudio/AudioSourceNode.idl:
    * Modules/webaudio/WaveTable.idl:
    * Modules/webdatabase/SQLError.idl:
    * Modules/webdatabase/SQLException.idl:
    * Modules/webdatabase/SQLResultSet.idl:
    * Modules/webdatabase/SQLResultSetRowList.idl:
    * Modules/webdatabase/SQLTransaction.idl:
    * Modules/webdatabase/SQLTransactionSync.idl:
    * bindings/scripts/IDLAttributes.txt:
    * css/CSSPrimitiveValue.idl:
    * css/CSSRule.idl:
    * css/CSSRuleList.idl:
    * css/CSSStyleDeclaration.idl:
    * css/CSSValue.idl:
    * css/CSSValueList.idl:
    * css/Counter.idl:
    * css/MediaList.idl:
    * css/MediaQueryList.idl:
    * css/RGBColor.idl:
    * css/Rect.idl:
    * css/StyleSheetList.idl:
    * css/WebKitCSSFilterValue.idl:
    * css/WebKitCSSMixFunctionValue.idl:
    * css/WebKitCSSTransformValue.idl:
    * dom/ClientRect.idl:
    * dom/ClientRectList.idl:
    * dom/Clipboard.idl:
    * dom/DOMCoreException.idl:
    * dom/DOMError.idl:
    * dom/DOMImplementation.idl:
    * dom/DOMNamedFlowCollection.idl:
    * dom/DOMStringList.idl:
    * dom/DOMStringMap.idl:
    * dom/DataTransferItem.idl:
    * dom/DataTransferItemList.idl:
    * dom/DocumentFragment.idl:
    * dom/Element.idl:
    * dom/Entity.idl:
    * dom/Event.idl:
    * dom/EventException.idl:
    * dom/MessageChannel.idl:
    * dom/MouseEvent.idl:
    * dom/MutationObserver.idl:
    * dom/MutationRecord.idl:
    * dom/NamedNodeMap.idl:
    * dom/NodeFilter.idl:
    * dom/NodeIterator.idl:
    * dom/NodeList.idl:
    * dom/Range.idl:
    * dom/RangeException.idl:
    * dom/Touch.idl:
    * dom/TouchList.idl:
    * dom/TreeWalker.idl:
    * fileapi/FileError.idl:
    * fileapi/FileException.idl:
    * fileapi/FileList.idl:
    * html/DOMFormData.idl:
    * html/DOMTokenList.idl:
    * html/DOMURL.idl:
    * html/HTMLAllCollection.idl:
    * html/HTMLCollection.idl:
    * html/HTMLDialogElement.idl:
    * html/HTMLDivElement.idl:
    * html/HTMLDocument.idl:
    * html/HTMLElement.idl:
    * html/HTMLImageElement.idl:
    * html/HTMLInputElement.idl:
    * html/HTMLSelectElement.idl:
    * html/HTMLSpanElement.idl:
    * html/HTMLUnknownElement.idl:
    * html/ImageData.idl:
    * html/MediaError.idl:
    * html/MediaKeyError.idl:
    * html/TimeRanges.idl:
    * html/ValidityState.idl:
    * html/canvas/ArrayBuffer.idl:
    * html/canvas/ArrayBufferView.idl:
    * html/canvas/CanvasGradient.idl:
    * html/canvas/CanvasPattern.idl:
    * html/canvas/Float32Array.idl:
    * html/canvas/Float64Array.idl:
    * html/canvas/Int16Array.idl:
    * html/canvas/Int32Array.idl:
    * html/canvas/Int8Array.idl:
    * html/canvas/Uint16Array.idl:
    * html/canvas/Uint32Array.idl:
    * html/canvas/Uint8Array.idl:
    * html/canvas/Uint8ClampedArray.idl:
    * html/canvas/WebGLActiveInfo.idl:
    * html/canvas/WebGLShaderPrecisionFormat.idl:
    * html/track/TextTrack.idl:
    * html/track/TextTrackCue.idl:
    * html/track/TextTrackCueList.idl:
    * inspector/InjectedScriptHost.idl:
    * inspector/InspectorFrontendHost.idl:
    * inspector/JavaScriptCallFrame.idl:
    * page/Coordinates.idl:
    * page/Crypto.idl:
    * page/MemoryInfo.idl:
    * page/PagePopupController.idl:
    * page/PerformanceEntryList.idl:
    * page/SpeechInputResult.idl:
    * page/SpeechInputResultList.idl:
    * page/WebKitPoint.idl:
    * svg/SVGAnimatedAngle.idl:
    * svg/SVGAnimatedBoolean.idl:
    * svg/SVGAnimatedEnumeration.idl:
    * svg/SVGAnimatedInteger.idl:
    * svg/SVGAnimatedLength.idl:
    * svg/SVGAnimatedLengthList.idl:
    * svg/SVGAnimatedNumber.idl:
    * svg/SVGAnimatedNumberList.idl:
    * svg/SVGAnimatedPreserveAspectRatio.idl:
    * svg/SVGAnimatedRect.idl:
    * svg/SVGAnimatedString.idl:
    * svg/SVGAnimatedTransformList.idl:
    * svg/SVGColor.idl:
    * svg/SVGException.idl:
    * svg/SVGPaint.idl:
    * svg/SVGPathSeg.idl:
    * svg/SVGRenderingIntent.idl:
    * svg/SVGUnitTypes.idl:
    * svg/SVGZoomAndPan.idl:
    * testing/MallocStatistics.idl:
    * testing/TypeConversions.idl:
    * workers/WorkerLocation.idl:
    * xml/DOMParser.idl:
    * xml/XMLHttpRequestException.idl:
    * xml/XMLSerializer.idl:
    * xml/XPathEvaluator.idl:
    * xml/XPathException.idl:
    * xml/XPathExpression.idl:
    * xml/XPathNSResolver.idl:
    * xml/XPathResult.idl:
    * xml/XSLTProcessor.idl:
    Add exceptions to binding integrity checks to IDL.
    
    Source/WebKit/chromium: 
    
    Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
    Reviewed by Adam Barth.
    
    * features.gypi:
    Added ENABLE_BINDING_INTEGRITY option.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    7929995e