[Webkit-unassigned] [Bug 279273] New: [JSC] Remove legacy ASLR implementation from WTF's x86 OSAllocator

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 6 11:36:49 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=279273

            Bug ID: 279273
           Summary: [JSC] Remove legacy ASLR implementation from WTF's x86
                    OSAllocator
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: marcus_plutowski at apple.com

rdar://135430256

In OSAllocatorPOSIX.cpp:tryReserveAndCommit, we manually implement ASLR for x86 machines by calling a random number generator to request a location within a subsection of the address space. This has not been necessary for a long time: if you pass mmap a nullptr for the address, it will select a suitably random location for you. Doing it ourselves is bad for multiple reasons: 1) it’s slower, and 2) selecting a specific location in memory is generally suspicious, and I suspect that it might be related to certain other bugs.

However, this situation does raise the specter of Chesterton’s Fence: if the OS does this automatically, then why did we implement code to do it ourselves? The answer is that this code is just really old: the first patch adding this to the codebase (34933 at main) was committed in April 2009, and the code has not been touched since December 2010 (63979 at main). ASLR was only implemented on Mac OS X in version 10.5 (Leopard, released October 2007) and only expanded to cover all applications in 10.7 (Lion, July 2011). So this code was written during a time when we _did_ need to implement it ourselves; as that is no longer the case, we should stop doing so.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240906/e95bad05/attachment-0001.htm>

More information about the webkit-unassigned mailing list