From: "jeremyevans0 (Jeremy Evans)" <noreply@ruby-lang.org>
To: ruby-core@ruby-lang.org
Subject: [ruby-core:106367] [Ruby master Bug#18260] YJIT uses insecure mmap protections
Date: Wed, 01 Dec 2021 21:07:49 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-95002.20211201210749.1604@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-18260.20211021155801.1604@ruby-lang.org
Issue #18260 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Closed
Fixed by commit:157095b3a44d8b0130a532a0b7be3f5ac197111c
----------------------------------------
Bug #18260: YJIT uses insecure mmap protections
https://bugs.ruby-lang.org/issues/18260#change-95002
* Author: jeremyevans0 (Jeremy Evans)
* Status: Closed
* Priority: Normal
* Assignee: maximecb (Maxime Chevalier-Boisvert)
* Backport: 2.6: DONTNEED, 2.7: DONTNEED, 3.0: DONTNEED
----------------------------------------
YJIT uses `mmap` with `PROT_READ | PROT_WRITE | PROT_EXEC` protections, which reduces security because it makes code injection attacks much easier, as the attacker only needs to be able to write their shellcode to the mapped memory region and then directly jump to the shellcode just written.
The security principle being violated here is referred to as `W^X` (W xor X). Basically, memory can be either writable or executable, but never both at the same.
OpenBSD has disallowed `mmap` with `PROT_WRITE | PROT_EXEC` by default since 2016. NetBSD/Linux with PaX MPROTECT disallows this as well, as does SELinux unless you enable `allow_execmem`.
Fixing this generally involves initially mapping pages with `PROT_READ | PROT_WRITE`, and after writing executable code, using `mprotect` to switch to `PROT_READ | PROT_EXEC`. This is the approach that Firefox takes for their Javascript engine starting in Firefox 46. This makes code injection attacks more difficult as an attacker either cannot write the shellcode (if mapped `PROT_READ | PROT_EXEC`), or cannot jump directly to the shellcode after writing (if mapped `PROT_READ | PROT_WRITE`).
--
https://bugs.ruby-lang.org/
prev parent reply other threads:[~2021-12-01 21:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-21 15:58 [ruby-core:105737] [Ruby master Bug#18260] YJIT uses insecure mmap protections jeremyevans0 (Jeremy Evans)
2021-10-21 20:34 ` [ruby-core:105741] " maximecb (Maxime Chevalier-Boisvert)
2021-12-01 21:07 ` jeremyevans0 (Jeremy Evans) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-95002.20211201210749.1604@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).