beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-24 16:40:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

LibWeb: Make exported Wasm functions keep the module instance alive

Browse source 
As it's not uncommon for users to drop the module instance on the floor
after having grabbed the few exports they need to hold on to.
Fixes a few UAFs that show up as "invalid" accesses to
memory/tables/etc.
This commit is contained in:
Ali Mohammad Pur 2024-05-18 20:01:29 +02:00 committed by Andrew Kaster
parent 6d0aa7e64e
commit 8b1341c77e
Notes: sideshowbarker 2024-07-16 23:57:20 +09:00 
Author: https://github.com/alimpfard
Commit: https://github.com/SerenityOS/serenity/commit/8b1341c77e
Pull-request: https://github.com/SerenityOS/serenity/pull/24378
3 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibWeb/WebAssembly/Instance.cpp
View file

@ -51,7 +51,7 @@ void Instance::initialize(JS::Realm& realm)
[&](Wasm::FunctionAddress const& address) {
Optional<JS::GCPtr<JS::FunctionObject>> object = m_function_instances.get(address);
if (!object.has_value()) {
object = Detail::create_native_function(vm, address, export_.name());
object = Detail::create_native_function(vm, address, export_.name(), this);
m_function_instances.set(address, *object);
}

5
Userland/Libraries/LibWeb/WebAssembly/WebAssembly.cpp
View file

@ -342,7 +342,7 @@ JS::ThrowCompletionOr<NonnullRefPtr<CompiledWebAssemblyModule>> parse_module(JS:
return compiled_module;
}
JS::NativeFunction* create_native_function(JS::VM& vm, Wasm::FunctionAddress address, ByteString const& name)
JS::NativeFunction* create_native_function(JS::VM& vm, Wasm::FunctionAddress address, ByteString const& name, Instance* instance)
{
auto& realm = *vm.current_realm();
Optional<Wasm::FunctionType> type;
@ -354,7 +354,8 @@ JS::NativeFunction* create_native_function(JS::VM& vm, Wasm::FunctionAddress add
auto function = JS::NativeFunction::create(
realm,
name,
[address, type = type.release_value()](JS::VM& vm) -> JS::ThrowCompletionOr<JS::Value> {
[address, type = type.release_value(), instance](JS::VM& vm) -> JS::ThrowCompletionOr<JS::Value> {
(void)instance;
auto& realm = *vm.current_realm();
Vector<Wasm::Value> values;
values.ensure_capacity(type.parameters().size());

2
Userland/Libraries/LibWeb/WebAssembly/WebAssembly.h
View file

@ -57,7 +57,7 @@ WebAssemblyCache& get_cache(JS::Realm&);
JS::ThrowCompletionOr<NonnullOwnPtr<Wasm::ModuleInstance>> instantiate_module(JS::VM&, Wasm::Module const&);
JS::ThrowCompletionOr<NonnullRefPtr<CompiledWebAssemblyModule>> parse_module(JS::VM&, JS::Object* buffer);
JS::NativeFunction* create_native_function(JS::VM&, Wasm::FunctionAddress address, ByteString const& name);
JS::NativeFunction* create_native_function(JS::VM&, Wasm::FunctionAddress address, ByteString const& name, Instance* instance = nullptr);
JS::ThrowCompletionOr<Wasm::Value> to_webassembly_value(JS::VM&, JS::Value value, Wasm::ValueType const& type);
JS::Value to_js_value(JS::VM&, Wasm::Value& wasm_value);