Protect heap metadata in Oilpan.
Rather than checking a static 16-bit magic value to check a HeapObjectHeader's
integrity when DCHECK_IS_ON, use a random 32-bit canary value in all builds.
Place it before the HeapObjectHeader value, rather than after, so that linear
overwrites (e.g. from OOB writes starting from lower addresses) are more likely
to corrupt it.
This is not a complete fix for 633030; more work on other heap metadata is
coming next. This is the simplest possible start. In particular, in future work
we may xor the |m_encoded| field with the canary as well, to obfuscate its
meaning to attackers using an infoleak to learn about the Oilpan heap.
BUG=633030
Review-Url: https://codereview.chromium.org/2683823004
Cr-Commit-Position: refs/heads/master@{#450598}
1 file changed
