-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Commit 44bc6fd
Make some parts of _zend_mm_heap read-only at runtime.
As [presented at
OffensiveCon 2024](https://youtu.be/dqKFHjcK9hM?t=1622), having trivially
callable writeable function pointers at the top of the heap makes it
straightforward to turn a limited write into an arbitrary code execution.
Disabling ZEND_MM_HEAP by default isn't doable, as it's used by a couple of
profilers, so we're making some parts of `_zend_mm_heap` read-only at runtime
instead: this will prevent the custom heap functions pointers from being
hijacked, as well as the custom storage ones.
We don't put the shadow_key there, since it has a performance impact, and an
attacker able to precisely overwrite it is likely already able to read it
anyway.1 parent 6e2ad3c commit 44bc6fd
2 files changed
+97
-54
lines changed
0 commit comments