[wasm] Remove insecure WasmInstanceObject::module() [v8/v8 : main]
0 views
Skip to first unread message
Clemens Backes (Gerrit)
Jun 2, 2026, 9:20:27āÆAMĀ (12 days ago)Ā Jun 2
to Maksim Ivanov, v8-s...@luci-project-accounts.iam.gserviceaccount.com, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
Attention needed from Maksim Ivanov
Clemens Backes added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 2 (Latest):
Clemens Backes . resolved
One small step towards removing dangerous accessors...
Maksim, please take a first look. I'll then add the needed owners in a second step.
Related details
Attention is currently required from:
- Maksim Ivanov
Submit Requirements:
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Maksim Ivanov (Gerrit)
Jun 5, 2026, 7:13:21āÆPMĀ (9 days ago)Ā Jun 5
to Clemens Backes, v8-s...@luci-project-accounts.iam.gserviceaccount.com, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
Attention needed from Clemens Backes
Maksim Ivanov voted and added 4 comments![]( "Open in Gerrit")
Votes added by Maksim Ivanov
| Code-Review | +1 |
4 comments
Patchset-level comments
Maksim Ivanov . resolved
lgtm % nits, thanks!
File test/cctest/wasm/test-wasm-serialization.cc
Line 542, Patchset 2 (Latest):
weak_native_module = module_object->native_module().as_shared_ptr();Maksim Ivanov . unresolved
nit: This can be derived from `native_module` now.
Line 545, Patchset 2 (Latest):
auto native_module = module_object->native_module();Maksim Ivanov . unresolved
nit: For clarity, seeing the full type instead of "auto" would help a lot.
Ditto in other places.
File test/unittests/wasm/wasm-tracing-unittest.cc
Line 57, Patchset 2 (Latest):
const WasmModule* module_a = instance_a->trusted_data(v8_isolate)->module();Maksim Ivanov . unresolved
nit: `instance_data_a->`
Related details
Attention is currently required from:
- Clemens Backes
Submit Requirements:
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Clemens Backes (Gerrit)
Jun 12, 2026, 9:30:29āÆAMĀ (2 days ago)Ā Jun 12
to Jakob Linke, Maksim Ivanov, v8-s...@luci-project-accounts.iam.gserviceaccount.com, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
Attention needed from Jakob Linke
Clemens Backes added 4 comments![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 4 (Latest):
Clemens Backes . resolved
Thanks for the review!
+Jakob for src/debug and src/execution.
File test/cctest/wasm/test-wasm-serialization.cc
Line 542, Patchset 2:
weak_native_module = module_object->native_module().as_shared_ptr();Maksim Ivanov . resolved
nit: This can be derived from `native_module` now.
Clemens Backes
Done
nit: For clarity, seeing the full type instead of "auto" would help a lot.
Ditto in other places.
Clemens Backes
Done
File test/unittests/wasm/wasm-tracing-unittest.cc
Line 57, Patchset 2:
const WasmModule* module_a = instance_a->trusted_data(v8_isolate)->module();Maksim Ivanov . resolved
Clemens Backesnit: `instance_data_a->`
Done
Related details
Attention is currently required from:
- Jakob Linke
Submit Requirements:
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Jakob Linke (Gerrit)
Jun 12, 2026, 11:14:29āÆAMĀ (2 days ago)Ā Jun 12
to Clemens Backes, Maksim Ivanov, v8-s...@luci-project-accounts.iam.gserviceaccount.com, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
Attention needed from Clemens Backes
Jakob Linke voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Clemens Backes
Submit Requirements:
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Clemens Backes (Gerrit)
Jun 12, 2026, 2:43:16āÆPMĀ (2 days ago)Ā Jun 12
to Jakob Linke, Maksim Ivanov, v8-s...@luci-project-accounts.iam.gserviceaccount.com, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
Clemens Backes voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
v8-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)
Jun 12, 2026, 2:45:27āÆPMĀ (2 days ago)Ā Jun 12
to Clemens Backes, Jakob Linke, Maksim Ivanov, devtools-...@chromium.org, v8-re...@googlegroups.com, was...@google.com
v8-s...@luci-project-accounts.iam.gserviceaccount.com submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[wasm] Remove insecure WasmInstanceObject::module()
This CL hardens the Wasm subsystem by removing the insecure module()
accessor from WasmInstanceObject and adding V8_LIFETIME_BOUND
annotations to NativeModule and WasmCode.
The link from an untrusted WasmInstanceObject to its WasmModule could be
corrupted by an attacker. If this link is traversed and used to obtain a
raw pointer to the WasmModule or its components (like the NativeModule),
a subsequent GC could collect the module, leading to Use-After-Free
(UAF) vulnerabilities.
To mitigate this, we:
1. Remove WasmInstanceObject::module(). All call sites now use the
trusted path via WasmTrustedInstanceData.
2. Add V8_LIFETIME_BOUND to NativeModule and WasmCode methods that
return internal pointers or references. This allows the compiler to
statically catch cases where these pointers outlive their owning
objects.
3. Update debug proxies and runtime functions to safely manage the
lifetimes of obtained module pointers, often by keeping the
Managed<NativeModule>::Ptr alive in a local variable.
In locations where metadata access still originates from an untrusted
instance object, a TODO(clemensb) has been added to mark these for
future hardening. This was intentionally not done for debugging-only
code and for test-only code which is less security-critical.
R=em...@google.com
Change-Id: I57d9212bfc11d81d994988268a8ecbae45f431b2
Commit-Queue: Clemens Backes <clem...@chromium.org>
Reviewed-by: Jakob Linke <jgr...@chromium.org>
Reviewed-by: Maksim Ivanov <em...@google.com>
Cr-Commit-Position: refs/heads/main@{#107964}
Files:
- M src/debug/debug-stack-trace-iterator.cc
- M src/debug/debug-wasm-objects.cc
- M src/debug/wasm/gdb-server/wasm-module-debug.cc
- M src/execution/frames.cc
- M src/execution/isolate.cc
- M src/objects/call-site-info.cc
- M src/runtime/runtime-debug.cc
- M src/runtime/runtime-test-wasm.cc
- M src/wasm/c-api.cc
- M src/wasm/wasm-code-manager.h
- M src/wasm/wasm-objects-inl.h
- M src/wasm/wasm-objects.h
- M test/cctest/wasm/test-gc.cc
- M test/cctest/wasm/test-wasm-serialization.cc
- M test/fuzzer/wasm/init-expr.cc
- M test/unittests/wasm/compilation-hints-unittest.cc
- M test/unittests/wasm/wasm-tracing-unittest.cc
Change size: M
Delta: 17 files changed, 114 insertions(+), 96 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Jakob Linke, +1 by Maksim Ivanov
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages