Hi all,
Today, trust on libffi is gated by:
defined(__APPLE__) && defined(FFI_AVAILABLE_APPLE)
I am interested in knowing if there is a path to:
defined(__APPLE__) && defined(/* test on upstream libffi */)
My motivation is that the
nixpkgs package manager bundles upstream libffi and not
Apple's fork (which defines the FFI_AVAILABLE_APPLE symbol), and my uninformed scanning of the code base plus historical issues makes me think there is a path to this.
From
this comment, I gather that the issue is with calling mmap with MAP_SHARED. I see in both libffi code bases
here and
here that MAP_SHARED is not used as long as FFI_EXEC_TRAMPOLINE_TABLE is defined. The code to support this on Darwin aarch64 was
committed and
released in libffi version 3.3 in 2019.
In contrast, I am not as convinced that x86-64 darwin is unaffected by this issue, since FFI_EXEC_TRAMPOLINE_TABLE is
not defined for that platform (although maybe it is not an issue in practice for other reasons?).
There still seems to be
a gap in libffi for which code signed apps on M1 chips run into security protections, but at least the MAP_SHARED vulnerability isn't present. So is it a blocker? If it is, is it the only known issue remaining?
I'm interested in your opinions on this topic. Thank you for your time.
Teddy