Fix VTableCallHolder writeable mapping size with W^X#70093
Merged
janvorli merged 1 commit intoJun 1, 2022
Conversation
The size of this holder is dynamic, but when we are creating the writeable mapping of this holder to initialize its code, we don't take that into account. So in case the holder is located at the end of a memory page and crosses its boundary, the writeable mapping covers only the beginning of the holder and so we either crash during the initialization if the following memory page is not mapped or read only, or we corrupt a completely unrelated memory page in case it is mapped and writeable. The fix is to use the real size of the holder instead of sizeof(...).
jkotas
approved these changes
Jun 1, 2022
Member
|
@janvorli Seeing some new (though I think inconsistent) failures in the sdk->installer build for p5 that could be a result of this. May need a backport. |
Member
Author
|
@mmitche I have made this fix based on investigations of the installer issue for p6, I was going to port this to p5 as the issue was there too. |
mangod9
approved these changes
Jun 1, 2022
Member
Author
|
/backport to release/7.0-preview5 |
Contributor
|
Started backporting to release/7.0-preview5: https://github.com/dotnet/runtime/actions/runs/2423701222 |
ghost
locked as resolved and limited conversation to collaborators
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The size of this holder is dynamic, but when we are creating the writeable
mapping of this holder to initialize its code, we don't take that into account.
So in case the holder is located at the end of a memory page and crosses its
boundary, the writeable mapping covers only the beginning of the holder and
so we either crash during the initialization if the following memory page is
not mapped or read only, or we corrupt a completely unrelated memory page
in case it is mapped and writeable.
The fix is to use the real size of the holder instead of sizeof(...).