Make some parts of _zend_mm_heap read-only at runtime.

jvoisin · jvoisin · commit 25a366354822 · 2024-06-18T14:45:30.000+02:00
As [presented at OffensiveCon 2024](https://youtu.be/dqKFHjcK9hM?t=1622), having trivially callable writeable function pointers at the top of the heap makes it straightforward to turn a limited write into an arbitrary code execution. Disabling ZEND_MM_HEAP by default isn't doable, as it's used by a couple of profilers, so we're making some parts of `_zend_mm_heap` read-only at runtime instead: this will prevent the custom heap functions pointers from being hijacked, and we're also throwing the `shadow_key` there as it doesn't hurt to make it read-only as well.
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -217,6 +217,8 @@ typedef zend_mm_bitset zend_mm_page_map[ZEND_MM_PAGE_MAP_LEN];     /* 64B */
 
 #define ZEND_MM_BINS 30
 
+#define ZEND_MM_RO_HEAP(heap) ((zend_mm_ro_heap*)((char*)(heap) + REAL_PAGE_SIZE))
+
 #if defined(_MSC_VER)
 # if UINTPTR_MAX == UINT64_MAX
 #  define BSWAPPTR(u) _byteswap_uint64(u)
@@ -263,6 +265,23 @@ typedef struct  _zend_mm_huge_list zend_mm_huge_list;
 
 static bool zend_mm_use_huge_pages = false;
 
+#define ZEND_MM_DEFAULT_PAGE_SIZE 4096
+
+static size_t zend_mm_get_page_size(void)
+{
+	static size_t page_size = 0;
+
+	if (!page_size) {
+		page_size = zend_get_page_size();
+		if (!page_size || (page_size & (page_size - 1))) {
+			/* anyway, we have to return a valid result */
+			page_size = ZEND_MM_DEFAULT_PAGE_SIZE;
+		}
+	}
+
+	return page_size;
+}
+
 /*
  * Memory is retrieved from OS by chunks of fixed size 2MB.
  * Inside chunk it's managed by pages of fixed size 4096B.
@@ -306,7 +325,6 @@ struct _zend_mm_heap {
 	size_t             size;                    /* current memory usage */
 	size_t             peak;                    /* peak memory usage */
 #endif
-	uintptr_t          shadow_key;              /* free slot shadow ptr xor key */
 	zend_mm_free_slot *free_slot[ZEND_MM_BINS]; /* free lists for small sizes */
 #if ZEND_MM_STAT || ZEND_MM_LIMIT
 	size_t             real_size;               /* current size of allocated pages */
@@ -329,16 +347,25 @@ struct _zend_mm_heap {
 	double             avg_chunks_count;		/* average number of chunks allocated per request */
 	int                last_chunks_delete_boundary; /* number of chunks after last deletion */
 	int                last_chunks_delete_count;    /* number of deletion over the last boundary */
+#if ZEND_MM_CUSTOM
+	HashTable *tracked_allocs;
+#endif
+	pid_t pid;
+	zend_random_bytes_insecure_state rand_state;
+};
+
+/* This contains security-sensitive data, and is thus mapped as read-only at run-time right after the _zend_mm_heap struct
+ * and accessed via the ZEND_MM_RO_HEAP macro.*/
+struct _zend_mm_ro_heap {
+	uintptr_t          shadow_key;              /* free slot shadow ptr xor key */
+
 #if ZEND_MM_CUSTOM
 	struct {
 		void      *(*_malloc)(size_t ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
 		void       (*_free)(void*  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
 		void      *(*_realloc)(void*, size_t  ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
 	} custom_heap;
-	HashTable *tracked_allocs;
 #endif
-	pid_t pid;
-	zend_random_bytes_insecure_state rand_state;
 };
 
 struct _zend_mm_chunk {
@@ -349,7 +376,6 @@ struct _zend_mm_chunk {
 	uint32_t           free_tail;               /* number of free pages at the end of chunk */
 	uint32_t           num;
 	char               reserve[64 - (sizeof(void*) * 3 + sizeof(uint32_t) * 3)];
-	zend_mm_heap       heap_slot;               /* used only in main chunk */
 	zend_mm_page_map   free_map;                /* 512 bits or 64 bytes */
 	zend_mm_page_info  map[ZEND_MM_PAGES];      /* 2 KB = 512 * 4 */
 };
@@ -1331,18 +1357,18 @@ static zend_always_inline int zend_mm_small_size_to_bin(size_t size)
 static zend_always_inline zend_mm_free_slot* zend_mm_encode_free_slot(const zend_mm_heap *heap, const zend_mm_free_slot *slot)
 {
 #ifdef WORDS_BIGENDIAN
-	return (zend_mm_free_slot*)(((uintptr_t)slot) ^ heap->shadow_key);
+	return (zend_mm_free_slot*)(((uintptr_t)slot) ^ ZEND_MM_RO_HEAP(heap)->shadow_key);
 #else
-	return (zend_mm_free_slot*)(BSWAPPTR((uintptr_t)slot) ^ heap->shadow_key);
+	return (zend_mm_free_slot*)(BSWAPPTR((uintptr_t)slot) ^ ZEND_MM_RO_HEAP(heap)->shadow_key);
 #endif
 }
 
 static zend_always_inline zend_mm_free_slot* zend_mm_decode_free_slot(zend_mm_heap *heap, zend_mm_free_slot *slot)
 {
 #ifdef WORDS_BIGENDIAN
-	return (zend_mm_free_slot*)((uintptr_t)slot ^ heap->shadow_key);
+	return (zend_mm_free_slot*)((uintptr_t)slot ^ ZEND_MM_RO_HEAP(heap)->shadow_key);
 #else
-	return (zend_mm_free_slot*)(BSWAPPTR((uintptr_t)slot ^ heap->shadow_key));
+	return (zend_mm_free_slot*)(BSWAPPTR((uintptr_t)slot ^ ZEND_MM_RO_HEAP(heap)->shadow_key));
 #endif
 }
 
@@ -2045,7 +2071,9 @@ static void zend_mm_free_huge(zend_mm_heap *heap, void *ptr ZEND_FILE_LINE_DC ZE
 
 static void zend_mm_refresh_key(zend_mm_heap *heap)
 {
-	zend_random_bytes_insecure(&heap->rand_state, &heap->shadow_key, sizeof(heap->shadow_key));
+	mprotect(ZEND_MM_RO_HEAP(heap), zend_mm_get_page_size(), PROT_WRITE);
+	zend_random_bytes_insecure(&heap->rand_state, &(ZEND_MM_RO_HEAP(heap)->shadow_key), sizeof(ZEND_MM_RO_HEAP(heap)->shadow_key));
+	mprotect(ZEND_MM_RO_HEAP(heap), zend_mm_get_page_size(), PROT_READ);
 }
 
 static void zend_mm_init_key(zend_mm_heap *heap)
@@ -2056,16 +2084,15 @@ static void zend_mm_init_key(zend_mm_heap *heap)
 
 static zend_mm_heap *zend_mm_init(void)
 {
+	zend_mm_heap *heap = (zend_mm_heap*)zend_mm_chunk_alloc_int(zend_mm_get_page_size() * 2, zend_mm_get_page_size());
 	zend_mm_chunk *chunk = (zend_mm_chunk*)zend_mm_chunk_alloc_int(ZEND_MM_CHUNK_SIZE, ZEND_MM_CHUNK_SIZE);
-	zend_mm_heap *heap;
 
 	if (UNEXPECTED(chunk == NULL)) {
 #if ZEND_MM_ERROR
 		fprintf(stderr, "Can't initialize heap\n");
 #endif
 		return NULL;
 	}
-	heap = &chunk->heap_slot;
 	chunk->heap = heap;
 	chunk->next = chunk;
 	chunk->prev = chunk;
@@ -2103,6 +2130,9 @@ static zend_mm_heap *zend_mm_init(void)
 #endif
 	heap->huge_list = NULL;
 	heap->pid = getpid();
+
+	mprotect(ZEND_MM_RO_HEAP(heap), zend_mm_get_page_size(), PROT_READ);
+
 	return heap;
 }
 
@@ -2431,7 +2461,7 @@ void zend_mm_shutdown(zend_mm_heap *heap, bool full, bool silent)
 
 #if ZEND_MM_CUSTOM
 	if (heap->use_custom_heap) {
-		if (heap->custom_heap._malloc == tracked_malloc) {
+		if (ZEND_MM_RO_HEAP(heap)->custom_heap._malloc == tracked_malloc) {
 			if (silent) {
 				tracked_free_all();
 			}
@@ -2440,13 +2470,15 @@ void zend_mm_shutdown(zend_mm_heap *heap, bool full, bool silent)
 				zend_hash_destroy(heap->tracked_allocs);
 				free(heap->tracked_allocs);
 				/* Make sure the heap free below does not use tracked_free(). */
-				heap->custom_heap._free = __zend_free;
+				mprotect(ZEND_MM_RO_HEAP(heap), zend_mm_get_page_size(), PROT_WRITE);
+				ZEND_MM_RO_HEAP(heap)->custom_heap._free = __zend_free;
+				mprotect(ZEND_MM_RO_HEAP(heap), zend_mm_get_page_size(), PROT_READ);
 			}
 			heap->size = 0;
 		}
 
 		if (full) {
-			heap->custom_heap._free(heap ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
+			ZEND_MM_RO_HEAP(heap)->custom_heap._free(heap ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
 		}
 		return;
 	}
@@ -2511,7 +2543,7 @@ void zend_mm_shutdown(zend_mm_heap *heap, bool full, bool silent)
 
 		/* reinitialize the first chunk and heap */
 		p = heap->main_chunk;
-		p->heap = &p->heap_slot;
+		//p->heap = &p->heap_slot;
 		p->next = p;
 		p->prev = p;
 		p->free_pages = ZEND_MM_PAGES - ZEND_MM_FIRST_PAGE;
@@ -2575,7 +2607,7 @@ ZEND_API size_t ZEND_FASTCALL _zend_mm_block_size(zend_mm_heap *heap, void *ptr
 {
 #if ZEND_MM_CUSTOM
 	if (UNEXPECTED(heap->use_custom_heap)) {
-		if (heap->custom_heap._malloc == tracked_malloc) {
+		if (ZEND_MM_RO_HEAP(heap)->custom_heap._malloc == tracked_malloc) {
 			zend_ulong h = ((uintptr_t) ptr) >> ZEND_MM_ALIGNMENT_LOG2;
 			zval *size_zv = zend_hash_index_find(heap->tracked_allocs, h);
 			if  (size_zv) {
@@ -2618,7 +2650,7 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 {
 #if ZEND_MM_CUSTOM
 	if (AG(mm_heap)->use_custom_heap) {
-		if (AG(mm_heap)->custom_heap._malloc == tracked_malloc) {
+		if (ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._malloc == tracked_malloc) {
 			zend_ulong h = ((uintptr_t) ptr) >> ZEND_MM_ALIGNMENT_LOG2;
 			zval *size_zv = zend_hash_index_find(AG(mm_heap)->tracked_allocs, h);
 			if  (size_zv) {
@@ -2661,12 +2693,12 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 #if ZEND_MM_CUSTOM
 # define ZEND_MM_CUSTOM_ALLOCATOR(size) do { \
 		if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) { \
-			return AG(mm_heap)->custom_heap._malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
+			return ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
 		} \
 	} while (0)
 # define ZEND_MM_CUSTOM_DEALLOCATOR(ptr) do { \
 		if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) { \
-			AG(mm_heap)->custom_heap._free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
+			ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
 			return; \
 		} \
 	} while (0)
@@ -2762,7 +2794,7 @@ ZEND_API void* ZEND_FASTCALL _emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LI
 {
 #if ZEND_MM_CUSTOM
 	if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) {
-		return AG(mm_heap)->custom_heap._malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
+		return ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._malloc(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); \
 	}
 #endif
 	return zend_mm_alloc_heap(AG(mm_heap), size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
@@ -2772,7 +2804,7 @@ ZEND_API void ZEND_FASTCALL _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_OR
 {
 #if ZEND_MM_CUSTOM
 	if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) {
-		AG(mm_heap)->custom_heap._free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+		ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._free(ptr ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 		return;
 	}
 #endif
@@ -2783,7 +2815,7 @@ ZEND_API void* ZEND_FASTCALL _erealloc(void *ptr, size_t size ZEND_FILE_LINE_DC
 {
 #if ZEND_MM_CUSTOM
 	if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) {
-		return AG(mm_heap)->custom_heap._realloc(ptr, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+		return ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._realloc(ptr, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 	}
 #endif
 	return zend_mm_realloc_heap(AG(mm_heap), ptr, size, 0, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
@@ -2793,7 +2825,7 @@ ZEND_API void* ZEND_FASTCALL _erealloc2(void *ptr, size_t size, size_t copy_size
 {
 #if ZEND_MM_CUSTOM
 	if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) {
-		return AG(mm_heap)->custom_heap._realloc(ptr, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+		return ZEND_MM_RO_HEAP(AG(mm_heap))->custom_heap._realloc(ptr, size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 	}
 #endif
 	return zend_mm_realloc_heap(AG(mm_heap), ptr, size, 1, copy_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
@@ -3057,25 +3089,28 @@ static void alloc_globals_ctor(zend_alloc_globals *alloc_globals)
 	tmp = getenv("USE_ZEND_ALLOC");
 	if (tmp && !ZEND_ATOL(tmp)) {
 		bool tracked = (tmp = getenv("USE_TRACKED_ALLOC")) && ZEND_ATOL(tmp);
-		zend_mm_heap *mm_heap = alloc_globals->mm_heap = malloc(sizeof(zend_mm_heap));
+		//TODO(jvoisin) fix this
+		zend_mm_heap *mm_heap = alloc_globals->mm_heap = malloc(zend_mm_get_page_size() * 2);
 		memset(mm_heap, 0, sizeof(zend_mm_heap));
 		mm_heap->use_custom_heap = ZEND_MM_CUSTOM_HEAP_STD;
 		mm_heap->limit = (size_t)Z_L(-1) >> 1;
 		mm_heap->overflow = 0;
 
+		mprotect(ZEND_MM_RO_HEAP(mm_heap), zend_mm_get_page_size(), PROT_WRITE);
 		if (!tracked) {
 			/* Use system allocator. */
-			mm_heap->custom_heap._malloc = __zend_malloc;
-			mm_heap->custom_heap._free = __zend_free;
-			mm_heap->custom_heap._realloc = __zend_realloc;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._malloc = __zend_malloc;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._free = __zend_free;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._realloc = __zend_realloc;
 		} else {
 			/* Use system allocator and track allocations for auto-free. */
-			mm_heap->custom_heap._malloc = tracked_malloc;
-			mm_heap->custom_heap._free = tracked_free;
-			mm_heap->custom_heap._realloc = tracked_realloc;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._malloc = tracked_malloc;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._free = tracked_free;
+			ZEND_MM_RO_HEAP(mm_heap)->custom_heap._realloc = tracked_realloc;
 			mm_heap->tracked_allocs = malloc(sizeof(HashTable));
 			zend_hash_init(mm_heap->tracked_allocs, 1024, NULL, NULL, 1);
 		}
+		mprotect(ZEND_MM_RO_HEAP(mm_heap), zend_mm_get_page_size(), PROT_READ);
 		return;
 	}
 #endif
@@ -3145,9 +3180,11 @@ ZEND_API void zend_mm_set_custom_handlers(zend_mm_heap *heap,
 		_heap->use_custom_heap = ZEND_MM_CUSTOM_HEAP_NONE;
 	} else {
 		_heap->use_custom_heap = ZEND_MM_CUSTOM_HEAP_STD;
-		_heap->custom_heap._malloc = _malloc;
-		_heap->custom_heap._free = _free;
-		_heap->custom_heap._realloc = _realloc;
+		mprotect(ZEND_MM_RO_HEAP(_heap), zend_mm_get_page_size(), PROT_WRITE);
+		ZEND_MM_RO_HEAP(_heap)->custom_heap._malloc = _malloc;
+		ZEND_MM_RO_HEAP(_heap)->custom_heap._free = _free;
+		ZEND_MM_RO_HEAP(_heap)->custom_heap._realloc = _realloc;
+		mprotect(ZEND_MM_RO_HEAP(_heap), zend_mm_get_page_size(), PROT_READ);
 	}
 #endif
 }
@@ -3161,9 +3198,9 @@ ZEND_API void zend_mm_get_custom_handlers(zend_mm_heap *heap,
 	zend_mm_heap *_heap = (zend_mm_heap*)heap;
 
 	if (heap->use_custom_heap) {
-		*_malloc = _heap->custom_heap._malloc;
-		*_free = _heap->custom_heap._free;
-		*_realloc = _heap->custom_heap._realloc;
+		*_malloc = ZEND_MM_RO_HEAP(_heap)->custom_heap._malloc;
+		*_free = ZEND_MM_RO_HEAP(_heap)->custom_heap._free;
+		*_realloc = ZEND_MM_RO_HEAP(_heap)->custom_heap._realloc;
 	} else {
 		*_malloc = NULL;
 		*_free = NULL;
@@ -3195,7 +3232,7 @@ ZEND_API zend_mm_heap *zend_mm_startup_ex(const zend_mm_handlers *handlers, void
 #if ZEND_MM_STORAGE
 	zend_mm_storage tmp_storage, *storage;
 	zend_mm_chunk *chunk;
-	zend_mm_heap *heap;
+	   zend_mm_heap *heap = (zend_mm_heap*)zend_mm_chunk_alloc_int(REAL_PAGE_SIZE * 2, REAL_PAGE_SIZE);
 
 	memcpy((zend_mm_handlers*)&tmp_storage.handlers, handlers, sizeof(zend_mm_handlers));
 	tmp_storage.data = data;
@@ -3206,7 +3243,6 @@ ZEND_API zend_mm_heap *zend_mm_startup_ex(const zend_mm_handlers *handlers, void
 #endif
 		return NULL;
 	}
-	heap = &chunk->heap_slot;
 	chunk->heap = heap;
 	chunk->next = chunk;
 	chunk->prev = chunk;
diff --git a/Zend/zend_alloc.h b/Zend/zend_alloc.h
@@ -242,6 +242,7 @@ ZEND_API void zend_memory_reset_peak_usage(void);
 
 /* Heap functions */
 typedef struct _zend_mm_heap zend_mm_heap;
+typedef struct _zend_mm_ro_heap zend_mm_ro_heap;
 
 ZEND_API zend_mm_heap *zend_mm_startup(void);
 ZEND_API void zend_mm_shutdown(zend_mm_heap *heap, bool full_shutdown, bool silent);
