On Thu, 11 Nov 2021 15:30:29 GMT, Alan Hayward <d...@openjdk.java.net> wrote:
> Am I right is saying that for Macos, all generated code is remapped RO before > execution? Ah, no, it seems the code cache is not RWX all the time as far as Java threads are concerned. The Macos/AArch64 code is strategically calling pthread_jit_write_protect_np at Java <-> JVM transition points. That ensures that executable regions are executable but not writable (RX) from a Java thread when running JITted Java code and are writable but not executable (RW) when it calls into JVM code. > An additional concern I have is that if the globals data was attacked then > the UseROPProtection flag could be flipped, and all code after that point > would be generated without ROP protection. Marking all the globals data as RO > would fix that. Alternatively remove UseROPProtection and then in the > macroassembler always generate PAC code, using just the subset of > instructions that are NOPs on non-PAC hardware. Or alternatively only > generate PAC code based on a #define set at build time. Each option has its > own downsides. Globals data can legitimately be written during JVM startup (perhaps in some cases also during execution?). So, they cannot simply be marked as RO. I am not sure this concern is really warranted. If an attacker is already able to overwrite UseROPProtection then a concern over the resulting omission of JITted ROP protection seems like attending to the loud banging of the stable door while Shergar has already been diced into stew meat. ------------- PR: https://git.openjdk.java.net/jdk/pull/6334
