[Webkit-unassigned] [Bug 20961] New: Protect and mark JIT buffers executable
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Sep 20 09:18:47 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20961
Summary: Protect and mark JIT buffers executable
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: SquirrelFish
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: alp at nuanti.com
X86Assembler.h currently uses plain fastMalloc() for its buffer.
We should consider using mprotect() (or VirtualAlloc() on Windows) to:
1) Mark the memory executable with PROT_EXEC, probably necessary for the JIT to
work with NX (no-execute) security capabilities enabled.
2) When compilation is completed, mark the memory read-only with PROT_WRITE.
Prevents further modification of JITed code, which could stop unrelated
security flaws like buffer overflow from escalating to arbitrary code
execution.
mprotect() expects memory to be aligned to a page boundary (smallest
granularity typically 4k) so we might want to allocate out of a custom memory
pool.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list