[sild]

Currently the page must be writeable at some point in order to create the trampoline.

A page fault is used as a way of executing the trampoline without the page having to be made executable/writable---the page fault handler recognises the page as a special trampoline page and handles the jump to the trampolines target address (which was previously registered using the new syscall).

Note that AFAICS this is unrelated to Spectre. The intended use is for constructing closures for use in FFI libraries such as libffi.

EDIT: I think I perhaps misunderstood your query---are you saying why not just make a system call where the kernel creates the page for you with the desired trampoline code and execute permissions?

[ori_b]

Double map it, like a JIT does. Once writable, and once executable. Put the pointers into different shared objects so that ASLR puts a randomized offset between them and you can't discover the write pointers from the execute pointer, and vice versa.

[vardump]

You still need to store the write pointers somewhere. So this very quickly becomes a game of cat and mouse.

[saagarjha]

JavaScriptCore had an amusing scheme where they'd make an (executable) memcpy gadget with the address hardcoded, then throw away read permissions to that memory. So the pointer's address is thus not readable without modifying memory permissions.

[jchw]

Yes, the edit is precisely what I was trying to get at. Do you happen to have context around this?

edit: also, “spectre mitigations” was just a shot in the dark. It does feel like this mode of jmping (modifying saved registers and restoring them) would be more prone to interfering with speculative execution.