On 9/23/20 9:39 AM, Florian Weimer wrote: > * Solar Designer: > >> While I share my opinion here, I don't mean that to block Madhavan's >> work. I'd rather defer to people more knowledgeable in current userland >> and ABI issues/limitations and plans on dealing with those, especially >> to Florian Weimer. I haven't seen Florian say anything specific for or >> against Madhavan's proposal, and I'd like to. (Have I missed that?) > > There was a previous discussion, where I provided feedback (not much > different from the feedback here, given that the mechanism is mostly the > same). > > I think it's unnecessary for the libffi use case. Precompiled code can > be loaded from disk because the libffi trampolines are so regular. On > most architectures, it's not even the code that's patched, but some of > the data driving it, which happens to be located on the same page due to > a libffi quirk. > > The libffi use case is a bit strange anyway: its trampolines are > type-generic, and the per-call adjustment is data-driven. This means > that once you have libffi in the process, you have a generic > data-to-function-call mechanism available that can be abused (it's even > fully CET compatible in recent versions). And then you need to look at > the processes that use libffi. A lot of them contain bytecode > interpreters, and those enable data-driven arbitrary code execution as > well. I know that there are efforts under way to harden Python, but > it's going to be tough to get to the point where things are still > difficult for an attacker once they have the ability to make mprotect > calls. > > It was pointed out to me that libffi is doing things wrong, and the > trampolines should not be type-generic, but generated so that they match > the function being called. That is, the marshal/unmarshal code would be > open-coded in the trampoline, rather than using some generic mechanism > plus run-time dispatch on data tables describing the function type. > That is a very different design (and typically used by compilers (JIT or > not JIT) to implement native calls). Mapping some code page with a > repeating pattern would no longer work to defeat anti-JIT measures > because it's closer to real JIT. I don't know if kernel support could > make sense in this context, but it would be a completely different > patch. > > Thanks, > Florian > Hi Florian, I am making myself familiar with anti-JIT measures before I can respond to this comment. Bear with me. I will also respond to the above libffi comment. Madhavan