From 474c2545cbb1af85a326a47e202fe1e6c450b496 Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Sun, 22 Oct 2023 14:24:33 +0200 Subject: Remove write permissions from runtime code buffer after copying jitted code --- src/rt.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/rt.rs b/src/rt.rs index 7b5f74b..20d1de7 100644 --- a/src/rt.rs +++ b/src/rt.rs @@ -1,7 +1,7 @@ //! A simple runtime which can be used to execute emitted instructions. use core::ffi::c_void; -use nix::sys::mman::{mmap, munmap, MapFlags, ProtFlags}; +use nix::sys::mman::{mmap, mprotect, munmap, MapFlags, ProtFlags}; /// A simple `mmap`ed runtime with executable pages. pub struct Runtime { @@ -18,7 +18,7 @@ impl Runtime { mmap( None, len, - ProtFlags::PROT_WRITE | ProtFlags::PROT_READ | ProtFlags::PROT_EXEC, + ProtFlags::PROT_WRITE, MapFlags::MAP_PRIVATE | MapFlags::MAP_ANONYMOUS, 0, /* fd */ 0, /* off */ @@ -31,6 +31,11 @@ impl Runtime { assert!(code.len() < len.get()); unsafe { std::ptr::copy_nonoverlapping(code.as_ptr(), buf.cast(), len.get()) }; } + unsafe { + // Remove write permissions from code buffer and allow to read-execute from it. + mprotect(buf, len.get(), ProtFlags::PROT_READ | ProtFlags::PROT_EXEC) + .expect("Failed to RX mprotect Runtime code buffer"); + } Runtime { buf, -- cgit v1.2.3