Bug 274805
| Summary: | [JSC] Add optional mprotect mode for executable memory on Intel | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Degazio <d_degazio> |
| Component: | JavaScriptCore | Assignee: | David Degazio <d_degazio> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
David Degazio
rdar://128901530
We currently don't rely on OS memory protections on Intel platforms for the executable region, since the performance cost of re-protecting the this region for every modification is too steep. But in the absence of that, it's possible bugs can clobber executable memory without any real signs of failure until if/when the clobbered code gets executed. Let's at least have a build-time option to, at some cost (expecting on the order of 10-30% regressed with the current non-invasive approach, maybe this can be improved?), use mprotect() to protect pages in the executable memory region whenever we start or finish writing to them. This should turn any illegal writes to these pages outside of critical sections in the LinkBuffer or performJITMemcpy into traps, making it easier to find executable memory corruption bugs - like an executable memory sanitizer.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
David Degazio
Pull request: https://github.com/WebKit/WebKit/pull/29198
EWS
Committed 279455@main (3d6a7300a281): <https://commits.webkit.org/279455@main>
Reviewed commits have been landed. Closing PR #29198 and removing active labels.