[libpas] Enable MTE Retag-on-Scavenge in privileged processes

Achierius · Achierius · commit 34584723de5b · 2025-10-03T21:41:19.000-07:00
https://bugs.webkit.org/show_bug.cgi?id=300151 rdar://156723433 Reviewed by Mark Lam. This is an MTE hardening feature which helps catch use-after-frees by retagging objects as we scavenge them. It has a significant performance cost, but as long as we only enable it for privileged processes that cost disappears. Canonical link: https://commits.webkit.org/300987@main
diff --git a/Source/bmalloc/libpas/src/libpas/pas_mte.h b/Source/bmalloc/libpas/src/libpas/pas_mte.h
@@ -522,7 +522,17 @@ PAS_IGNORE_WARNINGS_END
 
 #define PAS_MTE_TAG_REGION_FROM_OTHER_ALLOCATION(ptr, size, mode, is_allocator_homogeneous, is_known_medium) do { \
         if (!PAS_MTE_FEATURE_ENABLED(PAS_MTE_FEATURE_RETAG_ON_FREE)) { \
-            PAS_MTE_TAG_REGION(ptr, size, mode, is_allocator_homogeneous, is_known_medium); \
+            uintptr_t tag = ptr; \
+            PAS_MTE_GET_TAG(tag); \
+            /* libpas ensures that all allocations which reside in pages with \
+             * backing tag memory are tagged with a non-zero tag at all points \
+             * in time after they've been allocated, so we can use this to see \
+             * whether the allocation should be retagged or not. \
+             * In the future it would be better to pipe the information through \
+             * so that we can save the LDG, but that will require moving the \
+             * source-of-truth out of the local allocator. */ \
+            if (tag) \
+                PAS_MTE_TAG_REGION(ptr, size, mode, is_allocator_homogeneous, is_known_medium); \
             break; \
         } \
         uint8_t* pas_mte_begin = (uint8_t*)(ptr); \
diff --git a/Source/bmalloc/libpas/src/libpas/pas_mte_config.h b/Source/bmalloc/libpas/src/libpas/pas_mte_config.h
@@ -121,7 +121,7 @@ extern Slot g_config[];
 #define PAS_MTE_FEATURE_ASSERT_ADJACENT_TAGS_ARE_DISJOINT 6
 
 #define PAS_MTE_FEATURE_FORCED(feature) (0)
-#define PAS_MTE_FEATURE_PRIVILEGED_FORCED(feature) (feature == PAS_MTE_FEATURE_ADJACENT_TAG_EXCLUSION)
+#define PAS_MTE_FEATURE_PRIVILEGED_FORCED(feature) (feature == PAS_MTE_FEATURE_ADJACENT_TAG_EXCLUSION || feature == PAS_MTE_FEATURE_RETAG_ON_FREE)
 #define PAS_MTE_FEATURE_WCP_FORCED(feature) (0)
 #define PAS_MTE_FEATURE_DEBUG_FORCED(feature) (feature == PAS_MTE_FEATURE_ASSERT_ADJACENT_TAGS_ARE_DISJOINT)
 
