[pcre-dev] [Bug 1749] PCRE-JITted code should be executed fr…

Página Inicial
Delete this message
Autor: admin
Data:  
Para: pcre-dev
Tópicos Antigos: [pcre-dev] [Bug 1749] New: PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction
Assunto: [pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction
https://bugs.exim.org/show_bug.cgi?id=1749

--- Comment #52 from Petr Pisar <ppisar@???> ---
That could work. Maybe the counter could be incremented only in the child only.
That would trigger recompilation in children only and thus affected only them.
I think people usually do not do execute patterns compiled in different
process. Except for heavy parallel text scanners that could do work like that
(compile pattern, then fork process for each processor and commence matching on
different block of data in each process). I remember that Apache httpd does it
and their authors are very sensitive to speed.

I think it does not make sense to ask security experts. Of course they want
high performance but not at the expense of security. Therefore users are given
knobs to disable/enable JIT depending on their preference (security versus
performance).

E.g. Red Hat's resolution on this topic was published in RHEL-7.4 release nores
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/known_issues_compiler_and_tools.html#BZ1290432>.

I have no idea how much the recompilation lowers performance. I think it
depends on exact use case and it cannot be generalized.

--
You are receiving this mail because:
You are on the CC list for the bug.