This is the mail archive of the
libffi-discuss@sourceware.org
mailing list for the libffi project.
Re: Avoid stack/heap executable memory
- From: Richard Henderson <rth at redhat dot com>
- To: Demi Obenour <demiobenour at gmail dot com>, libffi-discuss at sourceware dot org
- Date: Tue, 3 May 2016 13:32:56 -1000
- Subject: Re: Avoid stack/heap executable memory
- Authentication-results: sourceware.org; auth=none
- References: <1462310910 dot 16919 dot 2 dot camel at gmail dot com>
On 05/03/2016 11:28 AM, Demi Obenour wrote:
mmap() is the only (reasonably) portable and secure way to get
executable memory. An executable stack or heap makes exploiting
vulnerabilities much easier.
How difficult would this be to implement?
Please check out an old idea I had for gcc's own trampolines:
https://github.com/rth7680/tramp.git
The Idea is that we mmap two sequential pages. The first, the "code page", is
mmaped execute-only from the executable file. The second, the "data page", is
anonymous read-write. The code page is PIC and reads from the data page, which
contains the specifics of the closure. The code page would be re-mapped from
the same source as many times as necessary to handle all of the closures.
Incidentally, this also means that Issues such as #228 (__clear_cache broken on
qnx) go away because we no longer need to ever clear the icache. The kernel
will do that for us as needed during the mmap.
The end result would look a lot like FFI_EXEC_TRAMPOLINE_TABLE, making it easy
to fold that back as the common (and only) case.
Of course, this will change the ABI, but I think we can work around that (at
least for ELF with symbol versioning), and also preserve the API. Of course,
there's a *lot* that can be cleaned up if we're willing to change the API...
r~