RFR (S) 8023956: Provide a work-around to broken Linux 32 bit "Exec Shield" using CS for NX emulation (crashing with SI_KERNEL)
Florian Weimer
fweimer at redhat.com
Mon Sep 2 04:57:45 PDT 2013
On 09/02/2013 01:18 PM, David Simms wrote:
> G'day all,
>
> Please review a small enhancement for working around a rare but annoying
> Linux bug (ia32 only).
>
> Bug link: https://bugs.openjdk.java.net/browse/JDK-8023956 (
> http://bugs.sun.com/view_bug.do?bug_id=8023956)
>
> Webrev: http://cr.openjdk.java.net/~dsimms/8023956/
> <http://cr.openjdk.java.net/%7Edsimms/8023956/>
This needs at least a compiler barrier between the write and the
function call:
+ // Some code to exec: the 'ret' instruction
+ codebuf[0] = 0xC3;
+
+ // Call it and ret
+ void (*fn)(void) = (void (*)(void)) codebuf;
+ fn();
Not sure if a memory barrier is needed as well.
+ munmap(codebuf, page_size);
I assume the implicit assumption here is that the CS limit is not rolled
back due to this call (and it makes this whole exercise a NOP on
NX-capable hardware).
+ * Work-around for broken NX emulation using CS limit, RedHat patch
"Exec-Shield"
It's spelled "Red Hat". :-)
Do you have reproducer for this problem? I'm surprised we haven't got
something similar in IcedTea.
--
Florian Weimer / Red Hat Product Security Team
More information about the hotspot-runtime-dev
mailing list