RFR (S) 8023956: Provide a work-around to broken Linux 32 bit "Exec Shield" using CS for NX emulation (crashing with SI_KERNEL)

Florian Weimer fweimer at redhat.com
Mon Sep 2 04:57:45 PDT 2013


On 09/02/2013 01:18 PM, David Simms wrote:
> G'day all,
>
> Please review a small enhancement for working around a rare but annoying
> Linux bug (ia32 only).
>
> Bug link: https://bugs.openjdk.java.net/browse/JDK-8023956 (
> http://bugs.sun.com/view_bug.do?bug_id=8023956)
>
> Webrev: http://cr.openjdk.java.net/~dsimms/8023956/
> <http://cr.openjdk.java.net/%7Edsimms/8023956/>

This needs at least a compiler barrier between the write and the 
function call:

+  // Some code to exec: the 'ret' instruction
+  codebuf[0] = 0xC3;
+
+  // Call it and ret
+  void (*fn)(void) = (void (*)(void)) codebuf;
+  fn();

Not sure if a memory barrier is needed as well.

+  munmap(codebuf, page_size);

I assume the implicit assumption here is that the CS limit is not rolled 
back due to this call (and it makes this whole exercise a NOP on 
NX-capable hardware).

+   * Work-around for broken NX emulation using CS limit, RedHat patch 
"Exec-Shield"

It's spelled "Red Hat". :-)

Do you have reproducer for this problem?  I'm surprised we haven't got 
something similar in IcedTea.

-- 
Florian Weimer / Red Hat Product Security Team


More information about the hotspot-runtime-dev mailing list