YJIT uses insecure mmap protections
PROT_READ | PROT_WRITE | PROT_EXEC protections, which reduces security because it makes code injection attacks much easier, as the attacker only needs to be able to write their shellcode to the mapped memory region and then directly jump to the shellcode just written.
The security principle being violated here is referred to as
W^X (W xor X). Basically, memory can be either writable or executable, but never both at the same.
OpenBSD has disallowed
PROT_WRITE | PROT_EXEC by default since 2016. NetBSD/Linux with PaX MPROTECT disallows this as well, as does SELinux unless you enable
Fixing this generally involves initially mapping pages with
PROT_READ | PROT_WRITE, and after writing executable code, using
mprotect to switch to
PROT_READ | PROT_EXEC), or cannot jump directly to the shellcode after writing (if mapped
PROT_READ | PROT_WRITE).
Updated by maximecb (Maxime Chevalier-Boisvert) 7 months ago
We can look into this. The downside is that YJIT does a lot of code patching, so this would presumably involve two system calls every time YJIT needs to generate code. Hopefully the performance impact will be relatively minimal.