Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //src and dest are user controlled but must be valid.
- TrustedPart_for_safe_jit(mutext, uint8_t *src,uint8_t *dest, uint32_t size) // in the current case, *dest targets a PROT_NONE memory region
- {
- MutexLock(mutext);
- ValidateOpcodes(src,size); // uses calls to mmap on size internally. Contains many loops : this is the longest part.
- unwriteprotect(dest,size); // calls many sandbox’s internal functions
- SafeMemcpy(src,dest,size); // THIS IS the function which contains the race condition
- asm("mfence");
- unEXECprotect(dest,size); // involve write protecting as well as allowing reading
- MutexUnlock(mutext);
- }
- SafeMemcpy(uint8_t *src,uint8_t *dest, uint32_t size) // the data to be copied cannot exceed 128Mb
- {
- if(!CheckUserTarget(dest,size) {
- uint8_t *src_ptr=src;
- uint8_t *dest_ptr=dest;
- uint8_t *end_ptr=des+size;
- while (dest_ptr < end_ptr) { // that loop should execute very fast
- *(uint32_t *) dest_ptr = *(uint32_t *) src_ptr;
- dest_ptr += 32;
- src_ptr += 32;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement