Not easily. In the past, Firefox would create RWX pages for JIT, put the bytecode into it, then execute it. In order to support W^X in OpenBSD and iOS, Firefox has changed how it behaves, so now it creates an RW page with mmap(), puts bytecode into it, then uses mprotect() to convert it to RX, so it can execute it. This works fine for the W^X implementation on OpenBSD and iOS, but PaX's MPROTECT implementation is much more aggressive, and additionally denies converting writable pages to executable pages.

I wrote a bit about this on the Tor bug tracker:
https://trac.torproject.org/projects/tor/ticket/21011#comment:10

When the mprotect() call fails, Firefox runs its OOM (Out Of Memory) subroutine, which occurs whenever any memory-related functionality fails (even if it's just for JIT, and JIT will be disabled at runtime). This causes Firefox to crash itself.

All the code is a tangled mess. It's rather sad, really. If you wanted to fix it, it'd be best probably just to get the browser to be able to stop trying to allocate RWX pages in the first place when the config is such that JIT will not be used at runtime.

Reply

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content