New issue
Advanced search Search tips

Issue 595110 link

Starred by 3 users

Issue metadata

Status: Archived
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Feature request: W^X Compatibility

Reported by shawn.w...@hardenedbsd.org, Mar 15 2016

Issue description

VULNERABILITY DETAILS
This is not a vulnerability, but rather a feature request. Chromium's JIT creates and utilizes RWX pages in memory. Creating RWX pages is incompatible with operating systems utilizing strong memory protections. Firefox 46 introduces a JIT that is W^X compatible. Chromium should follow suit.

An attacker could [ab]use RWX pages in order to inject and execute arbitrary code.

Attached is the output of `procstat -v PidOfChromium` on HardenedBSD 11-CURRENT/amd64.

VERSION
Chrome Version: All
Operating System: All (issue reporter is using HardenedBSD 11-CURRENT/amd64)

REPRODUCTION CASE
Instructions are for FreeBSD/HardenedBSD as that is the operating system the issue reporter is familiar with).
Install chromium: pkg install chromium
Set this sysctl: sysctl kern.ipc.shm_allow_removed=1
Launch chromium: chrome
Notice it creates RWX pages: procstat -v $(pgrep chrome | head -n 1) | grep rwx
 
2016-03-15_chromium_mappings.txt
56.4 KB View Download
Can this feature request be marked as public, please?

Comment 2 by mea...@chromium.org, Mar 16 2016

Cc: rickyz@chromium.org
Components: Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
There are multiple bugs about other rwx sections, but I don't know if this is feasible at all.

> Can this feature request be marked as public, please?
Sure.



> I don't know if this is feasible at all.

I've never dived into Chromium's code, but here is how Firefox approached it:

http://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/

I have no clue if the same underlying technique would/could apply to Chromium.
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 17 2017

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment