Security: Feature request: W^X Compatibility
Reported by
shawn.w...@hardenedbsd.org,
Mar 15 2016
|
|||
Issue descriptionVULNERABILITY DETAILS This is not a vulnerability, but rather a feature request. Chromium's JIT creates and utilizes RWX pages in memory. Creating RWX pages is incompatible with operating systems utilizing strong memory protections. Firefox 46 introduces a JIT that is W^X compatible. Chromium should follow suit. An attacker could [ab]use RWX pages in order to inject and execute arbitrary code. Attached is the output of `procstat -v PidOfChromium` on HardenedBSD 11-CURRENT/amd64. VERSION Chrome Version: All Operating System: All (issue reporter is using HardenedBSD 11-CURRENT/amd64) REPRODUCTION CASE Instructions are for FreeBSD/HardenedBSD as that is the operating system the issue reporter is familiar with). Install chromium: pkg install chromium Set this sysctl: sysctl kern.ipc.shm_allow_removed=1 Launch chromium: chrome Notice it creates RWX pages: procstat -v $(pgrep chrome | head -n 1) | grep rwx
,
Mar 16 2016
There are multiple bugs about other rwx sections, but I don't know if this is feasible at all. > Can this feature request be marked as public, please? Sure.
,
Mar 16 2016
> I don't know if this is feasible at all. I've never dived into Chromium's code, but here is how Firefox approached it: http://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/ I have no clue if the same underlying technique would/could apply to Chromium.
,
Mar 17 2017
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by shawn.w...@hardenedbsd.org
, Mar 15 2016