[LLVMdev] mmap and vm_protect on ARM+Apple systems

John Criswell criswell at illinois.edu
Tue Nov 27 07:03:04 PST 2012

On 11/27/12 3:26 AM, David Chisnall wrote:
> On 27 Nov 2012, at 01:20, Jim Grosbach wrote:
>> They work by allocating RW memory, then switching the permissions to RX before running any code stored there. That requires special process permissions.
> Is this really required?  The canonical way of getting around this restriction is to mmap the same physical page as RW in one location and RX in another.  I've not tested this on ARM/Darwin, but it works on every R^X platform I've tried.  You can then publish the address of the RX page and keep the RW page private inside the JIT, which makes exploiting the writeable-and-executable page very hard for malicious code because it needs to find both virtual addresses.

In this design, is the JIT and the JIT'ed program in the same address 
space/process, or are they in different processes so that the JIT'ed 
code never has access to the RW mapping of the frame?

If they're in the same process/address space (i.e., the JIT'ed program 
does have access to the RW mapped page), then I think the argument that 
having to guess two addresses to make an exploit work is a very weak 
protection (especially since I would expect the JIT to arrange the 
virtual address space so that fast bit masking could be used to compute 
the RX address from the RW address and vice versa).

-- John T.

> David
> _______________________________________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev

More information about the llvm-dev mailing list