"static_wrapper" imports in the FFI
twhitehead at gmail.com
Wed Mar 17 11:21:21 EDT 2010
On March 16, 2010 20:01:32 Iavor Diatchki wrote:
> Optionally disabling executable heap blocks would be a separate patch.
> As far as I know, the only reason that the heap is executable is to
> support the adjustor thunks used to implement "wrapper" imports. The
> "static_wrapper" patch provides a way to install Haskell callbacks in
> many C libraries without the need for adjustor thunks.
I believe this is the code in "rts/Adjustor.c" and "rts/sm/Storage.c". It (or
it gets ffi to) write a small bit of assembler that adds a hard coded pointer
(to a StablePtr) to the argument list and jump to a hard coded address. It
then has to fiddle with the executable bits on the memory page it wrote the
code into in order to allow the system the execute it.
This leaves me to ask though, could you not also tighten up the security here
by just getting the the system to turn off the writable bit when it also turns
on the executable one? I realize this implies that you will only get one of
these per page, but still that might not be that bad if you don't generate
very many and recycle them.
As a compromise, you could also just temporarily make pages writable when you
add to them, thus greatly minimizing the attack window. If you could get the
OS could freeze all other threads while doing this there would be no window.
If there generation and usage is/could be localized to OS threads, then
modification would always be safe if OS thread works on their own page.
I scanned the ghc source (all c, h, cmm, hs, and lhs files), and the only usage
of import "wrappers" seems to be in System.Console.Terminfo.Base.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.haskell.org/pipermail/glasgow-haskell-users/attachments/20100317/48515c5d/attachment.bin
More information about the Glasgow-haskell-users