Fix SELinux mprotect execheap error due to mem adjacent to heap

iluuu1994 · iluuu1994 · commit 7cf1a2ad9d43 · 2023-12-13T11:25:48.000+01:00
It seems SELinux has a bug where memory directly adjacent to the heap is interpreted as heap memory. Dodge this issue by leaving some space between the heap and memory suggested by find_prefered_mmap_base. See GH-12932 See https://bugzilla.kernel.org/show_bug.cgi?id=218258 Closes GH-12942
diff --git a/NEWS b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
 - Opcache:
   . Fixed oss-fuzz #64727 (JIT undefined array key warning may overwrite DIM
     with NULL when DIM is the same var as result). (ilutov)
+  . Added workaround for SELinux mprotect execheap issue.
+    See https://bugzilla.kernel.org/show_bug.cgi?id=218258. (ilutov)
 
 21 Dec 2023, PHP 8.2.14
 
diff --git a/ext/opcache/shared_alloc_mmap.c b/ext/opcache/shared_alloc_mmap.c
@@ -62,6 +62,18 @@ static void *find_prefered_mmap_base(size_t requested_size)
 	}
 
 	while (fgets(buffer, MAXPATHLEN, f) && sscanf(buffer, "%lx-%lx", &start, &end) == 2) {
+		/* Don't place the segment directly before or after the heap segment. Due to an selinux bug,
+		 * a segment directly preceding or following the heap is interpreted as heap memory, which
+		 * will result in an execheap violation for the JIT.
+		 * See https://bugzilla.kernel.org/show_bug.cgi?id=218258. */
+		bool heap_segment = strstr(buffer, "[heap]") != NULL;
+		if (heap_segment) {
+			uintptr_t start_base = start & ~(huge_page_size - 1);
+			if (last_free_addr + requested_size >= start_base) {
+				last_free_addr = ZEND_MM_ALIGNED_SIZE_EX(end + huge_page_size, huge_page_size);
+				continue;
+			}
+		}
 		if ((uintptr_t)execute_ex >= start) {
 			/* the current segment lays before PHP .text segment or PHP .text segment itself */
 			if (last_free_addr + requested_size <= start) {
@@ -90,7 +102,9 @@ static void *find_prefered_mmap_base(size_t requested_size)
 			}
 		}
 		last_free_addr = ZEND_MM_ALIGNED_SIZE_EX(end, huge_page_size);
-
+		if (heap_segment) {
+			last_free_addr += huge_page_size;
+		}
 	}
 	fclose(f);
 #elif defined(__FreeBSD__)
