From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 11217 invoked by alias); 3 May 2016 23:33:10 -0000 Mailing-List: contact libffi-discuss-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libffi-discuss-owner@sourceware.org Received: (qmail 11208 invoked by uid 89); 3 May 2016 23:33:10 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=H*MI:sk:1462310, H*i:sk:1462310, Issues, H*f:sk:1462310 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Tue, 03 May 2016 23:33:00 +0000 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EED2D65435; Tue, 3 May 2016 23:32:58 +0000 (UTC) Received: from bigtime.twiddle.net (ovpn-113-48.phx2.redhat.com [10.3.113.48]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u43NWvuh024894; Tue, 3 May 2016 19:32:58 -0400 Subject: Re: Avoid stack/heap executable memory To: Demi Obenour , libffi-discuss@sourceware.org References: <1462310910.16919.2.camel@gmail.com> From: Richard Henderson Message-ID: <84bfffeb-8172-85fd-6631-d2199eb21d94@redhat.com> Date: Tue, 03 May 2016 23:33:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <1462310910.16919.2.camel@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2016/txt/msg00018.txt.bz2 On 05/03/2016 11:28 AM, Demi Obenour wrote: > mmap() is the only (reasonably) portable and secure way to get > executable memory. An executable stack or heap makes exploiting > vulnerabilities much easier. > > How difficult would this be to implement? Please check out an old idea I had for gcc's own trampolines: https://github.com/rth7680/tramp.git The Idea is that we mmap two sequential pages. The first, the "code page", is mmaped execute-only from the executable file. The second, the "data page", is anonymous read-write. The code page is PIC and reads from the data page, which contains the specifics of the closure. The code page would be re-mapped from the same source as many times as necessary to handle all of the closures. Incidentally, this also means that Issues such as #228 (__clear_cache broken on qnx) go away because we no longer need to ever clear the icache. The kernel will do that for us as needed during the mmap. The end result would look a lot like FFI_EXEC_TRAMPOLINE_TABLE, making it easy to fold that back as the common (and only) case. Of course, this will change the ABI, but I think we can work around that (at least for ELF with symbol versioning), and also preserve the API. Of course, there's a *lot* that can be cleaned up if we're willing to change the API... r~