Make some parts of _zend_mm_heap read-only at runtime.

jvoisin · jvoisin · commit 120967f7bb07 · 2024-06-16T22:57:36.000+02:00
As [presented at OffensiveCon 2024](https://youtu.be/dqKFHjcK9hM?t=1622), having trivially callable writeable function pointers at the top of the heap makes it straightforward to turn a limited write into an arbitrary code execution. Disabling ZEND_MM_HEAP by default isn't doable, as it's used by a couple of profilers, so we're making some parts of `_zend_mm_heap` read-only at runtime instead: this will prevent the custom heap functions pointers from being hijacked, and we're also throwing the `shadow_key` there as it doesn't hurt to make it read-only as well.
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -296,6 +296,20 @@ static bool zend_mm_use_huge_pages = false;
  */
 
 struct _zend_mm_heap {
+    union {                                             /* This union contains security-relevant properties, and is thus made read-only at run-time. */
+        struct {
+            uintptr_t          shadow_key;              /* free slot shadow ptr xor key */
+#if ZEND_MM_CUSTOM
+            struct {
+                void      *(*_malloc)(size_t ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
+                void       (*_free)(void*  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
+                void      *(*_realloc)(void*, size_t  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
+            } custom_heap;
+#endif
+        };
+        char padding [ZEND_MM_PAGE_SIZE];
+    };
+
 #if ZEND_MM_CUSTOM
 	int                use_custom_heap;
 #endif
@@ -306,7 +320,6 @@ struct _zend_mm_heap {
 	size_t             size;                    /* current memory usage */
 	size_t             peak;                    /* peak memory usage */
 #endif
-	uintptr_t          shadow_key;              /* free slot shadow ptr xor key */
 	zend_mm_free_slot *free_slot[ZEND_MM_BINS]; /* free lists for small sizes */
 #if ZEND_MM_STAT || ZEND_MM_LIMIT
 	size_t             real_size;               /* current size of allocated pages */
@@ -330,11 +343,6 @@ struct _zend_mm_heap {
 	int                last_chunks_delete_boundary; /* number of chunks after last deletion */
 	int                last_chunks_delete_count;    /* number of deletion over the last boundary */
 #if ZEND_MM_CUSTOM
-	struct {
-		void      *(*_malloc)(size_t ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-		void       (*_free)(void*  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-		void      *(*_realloc)(void*, size_t  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-	} custom_heap;
 	HashTable *tracked_allocs;
 #endif
 	pid_t pid;
@@ -2103,6 +2111,9 @@ static zend_mm_heap *zend_mm_init(void)
 #endif
 	heap->huge_list = NULL;
 	heap->pid = getpid();
+
+	mprotect(heap, ZEND_MM_PAGE_SIZE, PROT_READ);
+
 	return heap;
 }
 
@@ -3141,6 +3152,7 @@ ZEND_API void zend_mm_set_custom_handlers(zend_mm_heap *heap,
 #if ZEND_MM_CUSTOM
 	zend_mm_heap *_heap = (zend_mm_heap*)heap;
 
+	mprotect(heap, ZEND_MM_PAGE_SIZE, PROT_WRITE);
 	if (!_malloc && !_free && !_realloc) {
 		_heap->use_custom_heap = ZEND_MM_CUSTOM_HEAP_NONE;
 	} else {
@@ -3149,6 +3161,7 @@ ZEND_API void zend_mm_set_custom_handlers(zend_mm_heap *heap,
 		_heap->custom_heap._free = _free;
 		_heap->custom_heap._realloc = _realloc;
 	}
+	mprotect(heap, ZEND_MM_PAGE_SIZE, PROT_READ);
 #endif
 }
 
