Re: PAX mprotect and JIT

To: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Subject: Re: PAX mprotect and JIT
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Sun, 26 Feb 2017 16:38:04 +0100

On Sun, Feb 26, 2017 at 03:20:17PM +0000, Taylor R Campbell wrote:
> > Date: Sat, 25 Feb 2017 22:35:27 +0100
> > From: Joerg Sonnenberger <joerg%bec.de@localhost>
> > 
> > (1) Implement a new flag for mremap to allow duplicating a mapping
> > (M_REMAPDUP). This patch is functional by itself.
> 
> Can we make this opt-in at mmap time -- that is, require you to have
> specified MAP_REMAPDUP to mmap on a region in order to use it for
> mremap on that region?  That way this introduces no new attack surface
> for mappings that were not intended to be used with it in the first
> place.

I don't think duplicating the mapping by itself creates any new attack
surface. The better question is what the permissions should be. I'd far
prefer that mmap has to request support for executable ahead of time.
That doesn't work too well with the current pax logic though and there
are some general questions of whether the interface is correct. E.g. if
I request RWX for mmap, should we really silently drop the X from the
effective permissions? I think a separate flag to make it RWx is better.
That should address your concern as well.

Joerg

Follow-Ups:
- Re: PAX mprotect and JIT
  - From: Taylor R Campbell

References:
- PAX mprotect and JIT
  - From: Joerg Sonnenberger
- Re: PAX mprotect and JIT
  - From: Taylor R Campbell

Prev by Date: Re: PAX mprotect and JIT
Next by Date: Re: PAX mprotect and JIT
Previous by Thread: Re: PAX mprotect and JIT
Next by Thread: Re: PAX mprotect and JIT
Indexes:

Home | Main Index | Thread Index | Old Index