Re: PAX mprotect and JIT

To: tech-kern%NetBSD.org@localhost
Subject: Re: PAX mprotect and JIT
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sun, 26 Feb 2017 10:30:05 +0100

On Sat, Feb 25, 2017 at 10:35:27PM +0100, Joerg Sonnenberger wrote:
> I've attached three patches to this mail:
> (1) Implement a new flag for mremap to allow duplicating a mapping
> (M_REMAPDUP). This patch is functional by itself.

I like this part.

> (2) A hack for allow mprotect to switch between W and X, but still
> honoring W^X. This is a hack and needs to be carefully rethought,
> since I believe the way pax is currently implemented is wrong. Consider
> it a PoC.

Wouldn't it be better to create a variant of mremap() that allows
specifying the new protection flags and only allow a W^X toggle in
the M_REMAPDUP case?

It is not a big improvement, but feels slightly harder to exploit.

> I find the availability of two separate mappings quite an acceptable
> compromise.

Indeed.

Martin

Follow-Ups:
- Re: PAX mprotect and JIT
  - From: Joerg Sonnenberger

References:
- PAX mprotect and JIT
  - From: Joerg Sonnenberger

Prev by Date: PAX mprotect and JIT
Next by Date: Re: PAX mprotect and JIT
Previous by Thread: PAX mprotect and JIT
Next by Thread: Re: PAX mprotect and JIT
Indexes:

Home | Main Index | Thread Index | Old Index