Re: Avoid stack/heap executable memory

public inbox for libffi-discuss@sourceware.org
 help / color / mirror / Atom feed

From: Richard Henderson <rth@redhat.com>
To: Demi Obenour <demiobenour@gmail.com>, libffi-discuss@sourceware.org
Subject: Re: Avoid stack/heap executable memory
Date: Tue, 03 May 2016 23:33:00 -0000	[thread overview]
Message-ID: <84bfffeb-8172-85fd-6631-d2199eb21d94@redhat.com> (raw)
In-Reply-To: <1462310910.16919.2.camel@gmail.com>

On 05/03/2016 11:28 AM, Demi Obenour wrote:
> mmap() is the only (reasonably) portable and secure way to get
> executable memory.  An executable stack or heap makes exploiting
> vulnerabilities much easier.
>
> How difficult would this be to implement?

Please check out an old idea I had for gcc's own trampolines:

   https://github.com/rth7680/tramp.git

The Idea is that we mmap two sequential pages.  The first, the "code page", is 
mmaped execute-only from the executable file.  The second, the "data page", is 
anonymous read-write.  The code page is PIC and reads from the data page, which 
contains the specifics of the closure.  The code page would be re-mapped from 
the same source as many times as necessary to handle all of the closures.

Incidentally, this also means that Issues such as #228 (__clear_cache broken on 
qnx) go away because we no longer need to ever clear the icache.  The kernel 
will do that for us as needed during the mmap.

The end result would look a lot like FFI_EXEC_TRAMPOLINE_TABLE, making it easy 
to fold that back as the common (and only) case.

Of course, this will change the ABI, but I think we can work around that (at 
least for ELF with symbol versioning), and also preserve the API.  Of course, 
there's a *lot* that can be cleaned up if we're willing to change the API...

r~

next prev parent reply	other threads:[~2016-05-03 23:33 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-03 21:28 Demi Obenour
2016-05-03 23:33 ` Richard Henderson [this message]
2016-05-04 10:17   ` Andrew Haley
2016-05-04 12:42     ` Anthony Green
2016-05-04 16:14       ` Jay

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=84bfffeb-8172-85fd-6631-d2199eb21d94@redhat.com \
    --to=rth@redhat.com \
    --cc=demiobenour@gmail.com \
    --cc=libffi-discuss@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).