Segfault when running function in heap with executable permissions

by

Summary

The issue at hand is a segfault when attempting to execute a function stored in heap memory with executable permissions. The code reads the bytecode of a function from the .text segment, copies it to heap memory, changes the permissions to executable, and then tries to call the function from the heap. Despite the bytecode being identical, a segmentation error occurs when running the function from the heap.

Root Cause

The root cause of this issue is due to the following reasons:

  • NX bit: The No Execute (NX) bit is a security feature that prevents code execution in certain memory regions, including the heap.
  • ASLR: Address Space Layout Randomization (ASLR) randomizes the location of memory segments, making it difficult to predict where the heap will be located.
  • Memory protection: The mprotect system call only changes the permissions of the specified memory region, but does not guarantee that the region is executable.

Why This Happens in Real Systems

This issue occurs in real systems due to:

  • Security features: Modern operating systems have security features like NX bit and ASLR to prevent code injection attacks.
  • Memory management: The way memory is managed and protected in real systems can lead to segmentation faults when attempting to execute code from unexpected locations.

Real-World Impact

The real-world impact of this issue includes:

  • Security vulnerabilities: Allowing code execution from the heap can introduce security vulnerabilities.
  • System crashes: Attempting to execute code from the heap can cause system crashes or segmentation faults.
  • Performance issues: The use of mprotect and executable memory can lead to performance issues due to the overhead of changing memory permissions.

Example or Code

#include 
#include 
#include 
#include 
#include 
#include 

void a() { printf("a"); }

int main() {
    char *heap_pointer;
    char *func_pointer;
    int ret;
    int pagesize;
    int c;

    func_pointer = (char *) a;
    pagesize = sysconf(_SC_PAGE_SIZE);
    heap_pointer = aligned_alloc(pagesize, pagesize);

    c = 0;
    while(func_pointer[c] != (char)0xc3) {
        heap_pointer[c] = func_pointer[c];
        c++;
    }
    heap_pointer[c] = (char)0xc3;

    mprotect(heap_pointer, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);

    (*(void (*)())(func_pointer))();
    (*(void (*)())(heap_pointer))();

    mprotect(heap_pointer, pagesize, PROT_READ);
    return 0;
}

How Senior Engineers Fix It

Senior engineers fix this issue by:

  • Using Position-Independent Code (PIC): Compiling code with PIC allows it to be executed from any location.
  • Allocating executable memory: Using mmap or malloc with executable permissions to allocate memory for code execution.
  • Disabling NX bit: Disabling the NX bit for the specific memory region, if necessary.

Why Juniors Miss It

Juniors may miss this issue due to:

  • Lack of understanding of memory protection: Not fully understanding how memory protection works and how it affects code execution.
  • Insufficient knowledge of security features: Not being aware of security features like NX bit and ASLR and how they impact code execution.
  • Inadequate testing: Not thoroughly testing code execution from different memory locations, leading to unexpected segmentation faults.