[Webkit-unassigned] [Bug 105730] New: crash in SELinux due to execheap violation

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 24 14:25:16 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=105730

           Summary: crash in SELinux due to execheap violation
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: self at tinctorius.net


There are issues with running Steam for Linux on a system with SELinux enabled. It is possible that WebKit is partially to blame.

The issue I've come across (https://github.com/ValveSoftware/steam-for-linux/issues/88) gives the following diagnostic information (with uninteresting data pruned for brevity):

    type=AVC msg=audit(...): avc: denied { execheap } for pid=4329 comm="MainThrd" ...
    type=SYSCALL msg=audit(...): arch=40000003 syscall=125 success=no exit=-13 a0=e9ac000 a1=c000 a2=7 a3=fff5bfcc ...

>From this, one can derive that the violation is changing the memory protection (syscall=125 means mprotect), of a 48 kilobyte buffer to be both writable and executable (a2=7 means PROT_READ | PROT_WRITE | PROT_EXEC). I guess this is due to some JIT compilation going on in Steam (barring attackers, why else would anyone enable execution?), which would be due to WebKit (as suggested by the developer).

As far as I know, you don't need memory to be both writable and executable for JIT compilation. This issue looks like evidence of something bad happening in WebKit's JavaScript interpreter:

1) For one, memory should never be both writable and executable. On Windows, this would be a violation under DEP.
2) It's apparently a bad idea to use heap memory for this (according to Ulrich Drepper, at least: http://www.akkadia.org/drepper/selinux-mem.html).

(This issue seems similar to #35154, but 1) that issue lacked enough logging information to confirm, and 2) the missing permission there was execmem, rather than execheap.)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list