[LLVMdev] mmap and vm_protect on ARM+Apple systems
David.Chisnall at cl.cam.ac.uk
Sat Nov 17 09:55:33 PST 2012
On 17 Nov 2012, at 00:12, Kaylor, Andrew wrote:
> My best guess is that this is trying to set up something that’s actually backed by two pages where whatever is written to the RW page will be copied to the RX page, though if that’s possible it would seem to defeat the purpose of not allowing RWX.
The correct way of implementing this is to have one physical page mapped to two locations in virtual memory. One is writeable, the other is read + execute. This does not defeat the point of W^X, because you must find both pointers to be able to exploit it, rather than just one. This is really how JIT'd memory maps should be created on all platforms, as it allows you to use the memory without significant fragmentation (i.e. you don't need a whole page per function) and it makes it much harder to exploit the JIT'd code.
More information about the llvm-dev