Re: W^X toggle button in RWX allocation

To: tech-security%netbsd.org@localhost
Subject: Re: W^X toggle button in RWX allocation
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Mon, 5 Jun 2017 23:30:09 +0200

On Sun, Jun 04, 2017 at 04:14:13PM +0200, Kamil Rytarowski wrote:
> On 04.06.2017 15:21, Joerg Sonnenberger wrote:
> > On Sun, Jun 04, 2017 at 02:41:16PM +0200, Kamil Rytarowski wrote:
> >> There is a new code for RWX memory mapping with MAP_REMAPDUP.
> >>
> >> Is there a functionality to switch which mapping is in force? To
> >> manually switch between RW or RX? This would be useful for the W^X
> >> mechanism in firefox.
> >>
> >> https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/
> > 
> > Look at the libffi and t_mprotect changes. That basically cover the
> > normal ways to do this.
> > 
> > Joerg
> > 
> 
> Does it mean that we need to perform duplication of a mapping for each
> switch RW - RX, and munmap(2) the old one?

If the area is write-once, no. Just mmap with RW | PROT_MPROTECT(X) and
later mprotect to RX. But JIT often wants smaller-than-page granularity
to reduce memory overhead or be able to patch in new jump points at the
start of a function etc.

Joerg

References:
- W^X toggle button in RWX allocation
  - From: Kamil Rytarowski
- Re: W^X toggle button in RWX allocation
  - From: Joerg Sonnenberger
- Re: W^X toggle button in RWX allocation
  - From: Kamil Rytarowski

Prev by Date: Re: W^X toggle button in RWX allocation
Next by Date: Proposal: Remove MD5 / SHA1 support from veriexec
Previous by Thread: Re: W^X toggle button in RWX allocation
Next by Thread: Proposal: Remove MD5 / SHA1 support from veriexec
Indexes:

Home | Main Index | Thread Index | Old Index