Bug 174281 - Lower the max_protection for the separated heap
Summary: Lower the max_protection for the separated heap
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-07-07 15:45 PDT by AJ Ringer
Modified: 2017-07-07 17:03 PDT (History)
8 users (show)

See Also:


Attachments
Patch (3.50 KB, patch)
2017-07-07 15:46 PDT, AJ Ringer
no flags Details | Formatted Diff | Diff
Patch (3.62 KB, patch)
2017-07-07 16:14 PDT, AJ Ringer
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description AJ Ringer 2017-07-07 15:45:22 PDT
Lower the max_protection for the separated heap
Comment 1 AJ Ringer 2017-07-07 15:46:09 PDT
Created attachment 314886 [details]
Patch
Comment 2 Oliver Hunt 2017-07-07 15:47:16 PDT
<rdar://problem/27452153>
Comment 3 Saam Barati 2017-07-07 15:49:31 PDT
Comment on attachment 314886 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=314886&action=review

> Source/JavaScriptCore/jit/ExecutableAllocator.cpp:224
> +        result = vm_protect(mach_task_self(), (vm_address_t)stubBase, stubSize, true, VM_PROT_EXECUTE);
>          RELEASE_ASSERT(!result);
>  #endif
>  
>          // Prevent writing into the executable JIT mapping.
> -        result = mprotect(jitBase, jitSize, VM_PROT_READ | VM_PROT_EXECUTE);
> +        result = vm_protect(mach_task_self(), (vm_address_t)jitBase, jitSize, true, VM_PROT_READ | VM_PROT_EXECUTE);
>          RELEASE_ASSERT(!result);
>  
>          // Prevent execution in the writable JIT mapping.
> -        result = mprotect((void*)writableAddr, jitSize, VM_PROT_READ | VM_PROT_WRITE);
> +        result = vm_protect(mach_task_self(), (vm_address_t)writableAddr, jitSize, true, VM_PROT_READ | VM_PROT_WRITE);

Style nit: Please use static_cast instead of C-style casts.
Comment 4 Saam Barati 2017-07-07 15:49:43 PDT
Oops, didn't mean to clear r+
Comment 5 Oliver Hunt 2017-07-07 15:54:45 PDT
(In reply to Saam Barati from comment #3)
> Comment on attachment 314886 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=314886&action=review
> 
> > Source/JavaScriptCore/jit/ExecutableAllocator.cpp:224
> > +        result = vm_protect(mach_task_self(), (vm_address_t)stubBase, stubSize, true, VM_PROT_EXECUTE);
> >          RELEASE_ASSERT(!result);
> >  #endif
> >  
> >          // Prevent writing into the executable JIT mapping.
> > -        result = mprotect(jitBase, jitSize, VM_PROT_READ | VM_PROT_EXECUTE);
> > +        result = vm_protect(mach_task_self(), (vm_address_t)jitBase, jitSize, true, VM_PROT_READ | VM_PROT_EXECUTE);
> >          RELEASE_ASSERT(!result);
> >  
> >          // Prevent execution in the writable JIT mapping.
> > -        result = mprotect((void*)writableAddr, jitSize, VM_PROT_READ | VM_PROT_WRITE);
> > +        result = vm_protect(mach_task_self(), (vm_address_t)writableAddr, jitSize, true, VM_PROT_READ | VM_PROT_WRITE);
> 
> Style nit: Please use static_cast instead of C-style casts.

for void*? I think it might need to be reinterpret_cast<> because vmprotect is obnoxious and uses uint66 or some such nonsense
Comment 6 Oliver Hunt 2017-07-07 16:06:52 PDT
Comment on attachment 314886 [details]
Patch

AJ is posting an updated patch
Comment 7 AJ Ringer 2017-07-07 16:14:49 PDT
Created attachment 314892 [details]
Patch
Comment 8 WebKit Commit Bot 2017-07-07 17:03:31 PDT
Comment on attachment 314892 [details]
Patch

Clearing flags on attachment: 314892

Committed r219273: <http://trac.webkit.org/changeset/219273>
Comment 9 WebKit Commit Bot 2017-07-07 17:03:32 PDT
All reviewed patches have been landed.  Closing bug.