On 25.02.2017 22:35, Joerg Sonnenberger wrote: > Hi all, > at the moment, PAX mprotect makes it very expensive to implement any > form of JIT. It is not possible to switch a page from writeable to > executable. It is not possible to use anonymous memory for JIT in > multi-threaded applications as you can't have distinct writable and > executable mappings. The only ways JIT can work right now is by either > disabling PAX mprotect or creating a temporary file on disk. That's not > only silly, but IMO actively harmful. Considering that some important > components like libffi fall into this category, the answer can't be > "disable PAX mprotect on bin/python*" and various other places. > > I've attached three patches to this mail: > (1) Implement a new flag for mremap to allow duplicating a mapping > (M_REMAPDUP). This patch is functional by itself. > (2) A hack for allow mprotect to switch between W and X, but still > honoring W^X. This is a hack and needs to be carefully rethought, > since I believe the way pax is currently implemented is wrong. Consider > it a PoC. > (3) A patch for devel/libffi to show how the first two parts can be > implemented to obtain JIT. With this patch the libffi test suite passes > with active PAX mprotect and ASLR. > > I find the availability of two separate mappings quite an acceptable > compromise. It would allow us to easily improve security for most > binaries by mapping the GOT read-only as far as possible by keeping the > write mapping separate. But that's a separate topic. > > Joerg > Thank you for working on it. It looks difficult to understand on the first sight, the need to "reinvent" malloc(3) with this approach. Can we have something like MAP_NOMPROTECT? Something like it would be used to mmap(2) RWX region: void *mapping = mmap(NULL, rounded_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_NOMPROTECT, -1, 0); Are doubled mappings more secure than this?
Attachment:
signature.asc
Description: OpenPGP digital signature