Bug 274805 - [JSC] Add optional mprotect mode for executable memory on Intel
Summary: [JSC] Add optional mprotect mode for executable memory on Intel
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Degazio
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2024-05-28 15:37 PDT by David Degazio
Modified: 2024-05-29 12:27 PDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Degazio 2024-05-28 15:37:16 PDT 
rdar://128901530

We currently don't rely on OS memory protections on Intel platforms for the executable region, since the performance cost of re-protecting the this region for every modification is too steep. But in the absence of that, it's possible bugs can clobber executable memory without any real signs of failure until if/when the clobbered code gets executed. Let's at least have a build-time option to, at some cost (expecting on the order of 10-30% regressed with the current non-invasive approach, maybe this can be improved?), use mprotect() to protect pages in the executable memory region whenever we start or finish writing to them. This should turn any illegal writes to these pages outside of critical sections in the LinkBuffer or performJITMemcpy into traps, making it easier to find executable memory corruption bugs - like an executable memory sanitizer.
Comment 1 David Degazio 2024-05-28 16:00:43 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/29198
Comment 2 EWS 2024-05-29 12:27:25 PDT 
Committed 279455@main (3d6a7300a281): <https://commits.webkit.org/279455@main>

Reviewed commits have been landed. Closing PR #29198 and removing active labels.