Disable ZEND_MM_CUSTOM by default.

jvoisin · jvoisin · commit d91c5929fbb0 · 2024-06-14T18:22:36.000+02:00
PHP's heap implementation is the one that virtually everybody uses: it's fast, it's there by default, it works, … The only major ever I've found of custom heap implementation [is phpdbg](https://github.com/rogercaetanos/php-src/blob/e39db5773d9443e2cfee92bc31651848c044c325/sapi/phpdbg/phpdbg.c#L968-L999) but it looks dispensable at best. Some other debuggers and profilers might use it, and that's alright, but I don't think that this feature should be enabled by default. Disabling ZEND_MM_CUSTOM will allow to save a couple of bytes (yay), but the main goal is to close a low-hanging exploitation vector: as [presented at OffensiveCon 2024](https://youtu.be/dqKFHjcK9hM?t=1622), having trivially callable writeable function pointers at the top of the heap makes it straightforward to turn a limited write into an arbitrary code execution.
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -136,7 +136,7 @@ static size_t _real_page_size = ZEND_MM_PAGE_SIZE;
 # define ZEND_MM_LIMIT 1   /* support for user-defined memory limit          */
 #endif
 #ifndef ZEND_MM_CUSTOM
-# define ZEND_MM_CUSTOM 1  /* support for custom memory allocator            */
+# define ZEND_MM_CUSTOM 0  /* support for custom memory allocator            */
                            /* USE_ZEND_ALLOC=0 may switch to system malloc() */
 #endif
 #ifndef ZEND_MM_STORAGE
