On Fri, 19 Apr 2024 07:44:17 GMT, Richard Reingruber <rr...@openjdk.org> wrote:
>> An alternative for preemptively switching the W^X thread mode on macOS with >> an AArch64 CPU. This implementation triggers the switch in response to the >> SIGBUS signal if the *si_addr* belongs to the CodeCache area. With this >> approach, it is now feasible to eliminate all WX guards and avoid >> potentially costly operations. However, no significant improvement or >> degradation in performance has been observed. Additionally, considering the >> issue with AsyncGetCallTrace, the patched JVM has been successfully operated >> with [asgct_bottom](https://github.com/parttimenerd/asgct_bottom) and >> [async-profiler](https://github.com/async-profiler/async-profiler). >> >> Additional testing: >> - [x] MacOS AArch64 server fastdebug *gtets* >> - [ ] MacOS AArch64 server fastdebug *jtreg:hotspot:tier4* >> - [ ] Benchmarking >> >> @apangin and @parttimenerd could you please check the patch on your >> scenarios?? > > What about granting `WXWrite` only if the current thread is in > `_thread_in_vm`? > That would be more restrictive and roughly equivalent how it currently works. > Likely there are some places then that should be granted `WXWrite` eagerly > because they need `WXWrite` without `_thread_in_vm`. E.g. the JIT compiler > threads should have `WXWrite` and never `WXExec` (I assume) which should be > checked in the signal handler. The patch doesn't protect against native agents, as this is obviously impossible. The current code doesn't do that either. For the bytecode, it doesn't prevent the attacker from abusing unsafe api to modify code cache. However unsafe functions are already considered "safe" and we proactively enable WXWrite as well as move thread to `_thread_in_vm` state (@reinrich). JITed code can't write to the cache either with or without the patch. I totally get the sense of loss of security. But is this really the case? ------------- PR Comment: https://git.openjdk.org/jdk/pull/18762#issuecomment-2071988941
