The Tor Browser / file revision

 #!/usr/bin/env python

 # Copyright (c) 2011 The Chromium Authors. All rights reserved.

 # Use of this source code is governed by a BSD-style license that can be

 # found in the LICENSE file.

 """Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] <executablepath>

 Arranges for the executable at |executable_path| to have its data (heap)

 pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have

 the PIE (position independent executable) bit set to enable ASLR (address

 space layout randomization). With --executable-heap or --no-pie, the

 respective bits are cleared instead of set, making the heap executable or

 disabling PIE/ASLR.

 This script is able to operate on thin (single-architecture) Mach-O files

 and fat (universal, multi-architecture) files. When operating on fat files,

 it will set or clear the bits for each architecture contained therein.

 NON-EXECUTABLE HEAP

 Traditionally in Mac OS X, 32-bit processes did not have data pages set to

 prohibit execution. Although user programs could call mprotect and

 mach_vm_protect to deny execution of code in data pages, the kernel would

 silently ignore such requests without updating the page tables, and the

 hardware would happily execute code on such pages. 64-bit processes were

 always given proper hardware protection of data pages. This behavior was

 controllable on a system-wide level via the vm.allow_data_exec sysctl, which

 is set by default to 1. The bit with value 1 (set by default) allows code

 execution on data pages for 32-bit processes, and the bit with value 2

 (clear by default) does the same for 64-bit processes.

 In Mac OS X 10.7, executables can "opt in" to having hardware protection

 against code execution on data pages applied. This is done by setting a new

 bit in the |flags| field of an executable's |mach_header|. When

 MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless

 of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c

 override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile.

 The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when

 producing executables, provided that -allow_heap_execute is not specified

 at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and

 later) have this ability. See ld64-123.2.1/src/ld/Options.cpp

 Options::reconfigureDefaults() and

 ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp

 HeaderAndLoadCommandsAtom<A>::flags().

 This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is

 intended for use with executables produced by a linker that predates Apple's

 modifications to set this bit itself. It is also useful for setting this bit

 for non-i386 executables, including x86_64 executables. Apple's linker only

 sets it for 32-bit i386 executables, presumably under the assumption that

 the value of vm.allow_data_exec is set in stone. However, if someone were to

 change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run

 without hardware protection against code execution on data pages. This

 script can set the bit for x86_64 executables, guaranteeing that they run

 with appropriate protection even when vm.allow_data_exec has been tampered

 with.

 POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION

 This script sets or clears the MH_PIE bit in an executable's Mach-O header,

 enabling or disabling position independence on Mac OS X 10.5 and later.

 Processes running position-independent executables have varying levels of

 ASLR protection depending on the OS release. The main executable's load

 address, shared library load addresess, and the heap and stack base

 addresses may be randomized. Position-independent executables are produced

 by supplying the -pie flag to the linker (or defeated by supplying -no_pie).

 Executables linked with a deployment target of 10.7 or higher have PIE on

 by default.

 This script is never strictly needed during the build to enable PIE, as all

 linkers used are recent enough to support -pie. However, it's used to

 disable the PIE bit as needed on already-linked executables.

 """

 import optparse

 import os

 import struct

 import sys

 # <mach-o/fat.h>

 FAT_MAGIC = 0xcafebabe

 FAT_CIGAM = 0xbebafeca

 # <mach-o/loader.h>

 MH_MAGIC = 0xfeedface

 MH_CIGAM = 0xcefaedfe

 MH_MAGIC_64 = 0xfeedfacf

 MH_CIGAM_64 = 0xcffaedfe

 MH_EXECUTE = 0x2

 MH_PIE = 0x00200000

 MH_NO_HEAP_EXECUTION = 0x01000000

 class MachOError(Exception):

   """A class for exceptions thrown by this module."""

   pass

 def CheckedSeek(file, offset):

   """Seeks the file-like object at |file| to offset |offset| and raises a

   MachOError if anything funny happens."""

   file.seek(offset, os.SEEK_SET)

   new_offset = file.tell()

   if new_offset != offset:

     raise MachOError, \

           'seek: expected offset %d, observed %d' % (offset, new_offset)

 def CheckedRead(file, count):

   """Reads |count| bytes from the file-like |file| object, raising a

   MachOError if any other number of bytes is read."""

   bytes = file.read(count)

   if len(bytes) != count:

     raise MachOError, \

           'read: expected length %d, observed %d' % (count, len(bytes))

   return bytes

 def ReadUInt32(file, endian):

   """Reads an unsinged 32-bit integer from the file-like |file| object,

   treating it as having endianness specified by |endian| (per the |struct|

   module), and returns it as a number. Raises a MachOError if the proper

   length of data can't be read from |file|."""

   bytes = CheckedRead(file, 4)

   (uint32,) = struct.unpack(endian + 'I', bytes)

   return uint32

 def ReadMachHeader(file, endian):

   """Reads an entire |mach_header| structure (<mach-o/loader.h>) from the

   file-like |file| object, treating it as having endianness specified by

   |endian| (per the |struct| module), and returns a 7-tuple of its members

   as numbers. Raises a MachOError if the proper length of data can't be read

   from |file|."""

   bytes = CheckedRead(file, 28)

   magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \

       struct.unpack(endian + '7I', bytes)

   return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags

 def ReadFatArch(file):

   """Reads an entire |fat_arch| structure (<mach-o/fat.h>) from the file-like

   |file| object, treating it as having endianness specified by |endian|

   (per the |struct| module), and returns a 5-tuple of its members as numbers.

   Raises a MachOError if the proper length of data can't be read from

   |file|."""

   bytes = CheckedRead(file, 20)

   cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes)

   return cputype, cpusubtype, offset, size, align

 def WriteUInt32(file, uint32, endian):

   """Writes |uint32| as an unsinged 32-bit integer to the file-like |file|

   object, treating it as having endianness specified by |endian| (per the

   |struct| module)."""

   bytes = struct.pack(endian + 'I', uint32)

   assert len(bytes) == 4

   file.write(bytes)

 def HandleMachOFile(file, options, offset=0):

   """Seeks the file-like |file| object to |offset|, reads its |mach_header|,

   and rewrites the header's |flags| field if appropriate. The header's

   endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported

   (mach_header and mach_header_64). Raises MachOError if used on a header that

   does not have a known magic number or is not of type MH_EXECUTE. The

   MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field

   according to |options| and written to |file| if any changes need to be made.

   If already set or clear as specified by |options|, nothing is written."""

   CheckedSeek(file, offset)

   magic = ReadUInt32(file, '<')

   if magic == MH_MAGIC or magic == MH_MAGIC_64:

     endian = '<'

   elif magic == MH_CIGAM or magic == MH_CIGAM_64:

     endian = '>'

   else:

     raise MachOError, \

           'Mach-O file at offset %d has illusion of magic' % offset

   CheckedSeek(file, offset)

   magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \

       ReadMachHeader(file, endian)

   assert magic == MH_MAGIC or magic == MH_MAGIC_64

   if filetype != MH_EXECUTE:

     raise MachOError, \

           'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \

               (offset, filetype)

   original_flags = flags

   if options.no_heap_execution:

     flags |= MH_NO_HEAP_EXECUTION

   else:

     flags &= ~MH_NO_HEAP_EXECUTION

   if options.pie:

     flags |= MH_PIE

   else:

     flags &= ~MH_PIE

   if flags != original_flags:

     CheckedSeek(file, offset + 24)

     WriteUInt32(file, flags, endian)

 def HandleFatFile(file, options, fat_offset=0):

   """Seeks the file-like |file| object to |offset| and loops over its

   |fat_header| entries, calling HandleMachOFile for each."""

   CheckedSeek(file, fat_offset)

   magic = ReadUInt32(file, '>')

   assert magic == FAT_MAGIC

   nfat_arch = ReadUInt32(file, '>')

   for index in xrange(0, nfat_arch):

     cputype, cpusubtype, offset, size, align = ReadFatArch(file)

     assert size >= 28

     # HandleMachOFile will seek around. Come back here after calling it, in

     # case it sought.

     fat_arch_offset = file.tell()

     HandleMachOFile(file, options, offset)

     CheckedSeek(file, fat_arch_offset)

 def main(me, args):

   parser = optparse.OptionParser('%prog [options] <executable_path>')

   parser.add_option('--executable-heap', action='store_false',

                     dest='no_heap_execution', default=True,

                     help='Clear the MH_NO_HEAP_EXECUTION bit')

   parser.add_option('--no-pie', action='store_false',

                     dest='pie', default=True,

                     help='Clear the MH_PIE bit')

   (options, loose_args) = parser.parse_args(args)

   if len(loose_args) != 1:

     parser.print_usage()

     return 1

   executable_path = loose_args[0]

   executable_file = open(executable_path, 'rb+')

   magic = ReadUInt32(executable_file, '<')

   if magic == FAT_CIGAM:

     # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian.

     HandleFatFile(executable_file, options)

   elif magic == MH_MAGIC or magic == MH_CIGAM or \

       magic == MH_MAGIC_64 or magic == MH_CIGAM_64:

     HandleMachOFile(executable_file, options)

   else:

     raise MachOError, '%s is not a Mach-O or fat file' % executable_file

   executable_file.close()

   return 0

 if __name__ == '__main__':

   sys.exit(main(sys.argv[0], sys.argv[1:]))