[tor-bugs] #21011 [Applications/Tor Browser Sandbox]: Disable JavaScript JIT

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 20 08:12:46 UTC 2016 

#21011: Disable JavaScript JIT
----------------------------------------------+-------------------------
 Reporter:  cypherpunks                       |          Owner:  yawning
     Type:  enhancement                       |         Status:  new
 Priority:  Medium                            |      Milestone:
Component:  Applications/Tor Browser Sandbox  |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:  sandbox-security                  |  Actual Points:
Parent ID:                                    |         Points:
 Reviewer:                                    |        Sponsor:
----------------------------------------------+-------------------------

Comment (by cypherpunks):

 Replying to [comment:1 yawning]:
 > FF46 does fix the issue with MPROTECT, but we won't get the benefit of
 that till ESR52.

 Are you sure it does? From what I read, the old behavior was creating an
 RWX mapping, filling it with JITed byecode, then executing it. FF46 allows
 this to work with W!^X by creating an RW mapping, filling it, then making
 it RX and executing it with the `AutoWritableJitCode` RAII class,
 according to https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-
 firefox/. But PAX_MPROTECT is much more aggressive than OpenBSD's
 implementation (which merely prevents RWX mappings from being created).
 PAX_MPROTECT additionally prevents a process from making an RW mapping
 executable again:

 {{{
 $ cat | gcc -x c -
 #include <sys/mman.h>
 #include <stdlib.h>
 #include <stdio.h>

 void main(void)
 {
     char *m;
     int r;

     m = mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
 0);
     perror("mmap");
     if (m == MAP_FAILED)
         exit(1);

     r = mprotect(m, 4096, PROT_READ|PROT_EXEC);
     perror("mprotect");
     if (r == -1)
         exit(1);
 }

 $ ./a.out
 mmap: Success
 mprotect: Permission denied

 $ setfattr -n user.pax.flags -v m ./a.out

 $ ./a.out
 mmap: Success
 mprotect: Success
 }}}

 Unless my understanding of how Firefox deals with OpenBSD's W!^X
 protections are totally off, then it seems to me like it would not play
 nicely with PAX_MPROTECT.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21011#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list