Bug 20961

Summary: Protect and mark JIT buffers executable
Product: WebKit Reporter: Alp Toker <alp@nuanti.com>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned@lists.webkit.org>
Status: RESOLVED FIXED    
Severity: Normal CC: ap@webkit.org, barraclough@apple.com, mrowe@apple.com, sam@webkit.org, zwarich@apple.com
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description From 2008-09-20 09:18:46 PST
X86Assembler.h currently uses plain fastMalloc() for its buffer.

We should consider using mprotect() (or VirtualAlloc() on Windows) to:

1) Mark the memory executable with PROT_EXEC, probably necessary for the JIT to work with NX (no-execute) security capabilities enabled.

2) When compilation is completed, mark the memory read-only with PROT_WRITE. Prevents further modification of JITed code, which could stop unrelated security flaws like buffer overflow from escalating to arbitrary code execution.

mprotect() expects memory to be aligned to a page boundary (smallest granularity typically 4k) so we might want to allocate out of a custom memory pool.
------- Comment #1 From 2008-09-20 15:47:08 PST -------
This will need to be done for x86_64 support on Mac OS X, as the heap is non-executable by default.
------- Comment #2 From 2008-11-29 05:51:16 PST -------
We need to solve this problem by implementing an allocator for the generated code. We probably want to mmap pages from the OS and implement sub-page allocation, as many functions have less than 4kb of code. We will also have to be careful about unmapping pages and giving them back to the OS.
------- Comment #3 From 2009-04-20 22:09:12 PST -------
The first part of this bug was fixed in r39083:

http://trac.webkit.org/changeset/39083