[LLVMdev] mmap and vm_protect on ARM+Apple systems

David Chisnall David.Chisnall at cl.cam.ac.uk
Tue Nov 27 01:26:00 PST 2012

On 27 Nov 2012, at 01:20, Jim Grosbach wrote:

> They work by allocating RW memory, then switching the permissions to RX before running any code stored there. That requires special process permissions.

Is this really required?  The canonical way of getting around this restriction is to mmap the same physical page as RW in one location and RX in another.  I've not tested this on ARM/Darwin, but it works on every R^X platform I've tried.  You can then publish the address of the RX page and keep the RW page private inside the JIT, which makes exploiting the writeable-and-executable page very hard for malicious code because it needs to find both virtual addresses.


More information about the llvm-dev mailing list