-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Commit 9044d3e
Make some parts of _zend_mm_heap read-only at runtime.
As [presented at
OffensiveCon 2024](https://youtu.be/dqKFHjcK9hM?t=1622), having trivially
callable writeable function pointers at the top of the heap makes it
straightforward to turn a limited write into an arbitrary code execution.
Disabling ZEND_MM_HEAP by default isn't doable, as it's used by a couple of
profilers, so we're making some parts of `_zend_mm_heap` read-only at runtime
instead: this will prevent the custom heap functions pointers from being
hijacked, as well as the custom storage ones.
We don't put the shadow_key there, since it has a performance impact, and an
attacker able to precisely overwrite it is likely already able to read it
anyway.1 parent 72c8746 commit 9044d3e
3 files changed
+122
-66
lines changed
0 commit comments