[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21011 [Applications/Tor Browser Sandbox]: Disable JavaScript JIT
#21011: Disable JavaScript JIT
----------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: sandbox-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by cypherpunks):
Replying to [comment:1 yawning]:
> FF46 does fix the issue with MPROTECT, but we won't get the benefit of
that till ESR52.
Are you sure it does? From what I read, the old behavior was creating an
RWX mapping, filling it with JITed byecode, then executing it. FF46 allows
this to work with W!^X by creating an RW mapping, filling it, then making
it RX and executing it with the `AutoWritableJitCode` RAII class,
according to https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-
firefox/. But PAX_MPROTECT is much more aggressive than OpenBSD's
implementation (which merely prevents RWX mappings from being created).
PAX_MPROTECT additionally prevents a process from making an RW mapping
executable again:
{{{
$ cat | gcc -x c -
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
void main(void)
{
char *m;
int r;
m = mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0);
perror("mmap");
if (m == MAP_FAILED)
exit(1);
r = mprotect(m, 4096, PROT_READ|PROT_EXEC);
perror("mprotect");
if (r == -1)
exit(1);
}
$ ./a.out
mmap: Success
mprotect: Permission denied
$ setfattr -n user.pax.flags -v m ./a.out
$ ./a.out
mmap: Success
mprotect: Success
}}}
Unless my understanding of how Firefox deals with OpenBSD's W!^X
protections are totally off, then it seems to me like it would not play
nicely with PAX_MPROTECT.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21011#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs