Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Close the remaining JIT spray gap in the syscall rewrite fast-path by hardening executable promotion instead of patching runtime-generated code in place. This change keeps the earlier origin-map sealing and shared-file alias protections, then finishes the runtime side of the threat model: - reject writable-plus-executable mappings in trap/rewrite mode - reject executable promotion of shared writable file aliases by backing object overlap, not just VMA shape - scan writable-to-executable promotions and fail closed when promoted region contains syscall instructions - require the rewrite security guest probes during integration when rewrite mode is available The scan-on-X path is intentionally conservative. For aarch64 it reuses the existing SVC site detector. For x86_64 it performs a raw byte sweep for 0f 05 and 0f 34 so hidden misaligned syscall encodings are blocked too, rather than relying only on instruction-boundary decoding. The mprotect hook now applies in both active rewrite runtime and x86_64 trap fallback. That matters on node1, where --syscall-mode=rewrite still falls back to trap in release builds; the JIT spray boundary must still be enforced there. Change-Id: I01f3000b8b1d94e1b1ed300ff18b352eb496416a
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Close the remaining JIT spray gap in the syscall rewrite fast-path by hardening executable promotion instead of patching runtime-generated code in place.
This change keeps the earlier origin-map sealing and shared-file alias protections, then finishes the runtime side of the threat model:
The scan-on-X path is intentionally conservative. For aarch64 it reuses the existing SVC site detector. For x86_64 it performs a raw byte sweep for 0f 05 and 0f 34 so hidden misaligned syscall encodings are blocked too, rather than relying only on instruction-boundary decoding.
The mprotect hook now applies in both active rewrite runtime and x86_64 trap fallback. That matters on node1, where --syscall-mode=rewrite still falls back to trap in release builds; the JIT spray boundary must still be enforced there.
Change-Id: I01f3000b8b1d94e1b1ed300ff18b352eb496416a
Summary by cubic
Hardens executable promotion in rewrite and x86_64 trap paths to close the remaining JIT spray gap. RW→RX promotions are now scanned for syscall sites, and shared-file executable aliases are blocked at mmap/mprotect time.
run-tests.shprobes rewrite support; requiresjit-spray-testandjit-alias-testwhen available; auto-skips on x86_64 ASAN; fails when rewrite mode is unavailable.Written for commit 0000597. Summary will update on new commits.