-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap hardening #14083
Comments
Thank you for creating this issue! I though a bit more about this since #13943 (comment):
Longer term, we should check if replacing refcounting+cycle GC by a full tracing GC is practicable, because it would help. Although refcounting can not be entirely removed because CoW semantics rely on it. |
|
Great, thank you!
Agreed with changing the base entirely. What I had in mind was to use a random mmap hint in zend alloc, and allocate contiguously from that hint (to avoid splitting the address space too much). After that we can randomize bin placement inside chunks (but I feel this can be easily defeated with heap feng shui) and freelists inside bins indeed. Regarding the threat model, I'm focusing more on the remote attacker model for now, as I feel this is the most critical. |
Oh, I see. Yes, having a randomized per-child base would help a bit, as an attacker wouldn't be able to use forks to bruteforce the randomization, albeit memory allocated before the fork would still be at the same offset across processes. As for periodic rebasing, I guess having the master process re-executing itself once in a while would be an acceptable Remote PHP exploitation is pretty exotic, to my knowledge, to my knowledge, the only person to do it (publicly) is @cfreal. Local exploitation is much more common, usually to bypass |
...
@jvoisin, just curious ; would you recommend using the userfaultfd api in that case ? |
I'd rather keep things simple and portable: map two pages |
Oh not so much complexity it allows to handle the violation more smoothly than the usual technique you re referring to. But ... that s just linux :) |
Description
Currently, PHP's heap implementation is ~trivial to exploit:
There are several hardening techniques that could/should be implemented, listed here in order of difficulty:
SLAB_FREELIST_RANDOM
allocate strings and array buckets in GigaCages so that a corrupt length doesn't allow to access anything else than other strings/array buckets. This will significantly increase the virtual-memory usage though.this isn't doable since those structures have a maximum size ofSIZE_MAX
cc @arnaud-lb @cfreal @therealcoiffeur
The text was updated successfully, but these errors were encountered: