michael@0: #!/usr/bin/env python michael@0: # Copyright (c) 2011 The Chromium Authors. All rights reserved. michael@0: # Use of this source code is governed by a BSD-style license that can be michael@0: # found in the LICENSE file. michael@0: michael@0: """Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] michael@0: michael@0: Arranges for the executable at |executable_path| to have its data (heap) michael@0: pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have michael@0: the PIE (position independent executable) bit set to enable ASLR (address michael@0: space layout randomization). With --executable-heap or --no-pie, the michael@0: respective bits are cleared instead of set, making the heap executable or michael@0: disabling PIE/ASLR. michael@0: michael@0: This script is able to operate on thin (single-architecture) Mach-O files michael@0: and fat (universal, multi-architecture) files. When operating on fat files, michael@0: it will set or clear the bits for each architecture contained therein. michael@0: michael@0: NON-EXECUTABLE HEAP michael@0: michael@0: Traditionally in Mac OS X, 32-bit processes did not have data pages set to michael@0: prohibit execution. Although user programs could call mprotect and michael@0: mach_vm_protect to deny execution of code in data pages, the kernel would michael@0: silently ignore such requests without updating the page tables, and the michael@0: hardware would happily execute code on such pages. 64-bit processes were michael@0: always given proper hardware protection of data pages. This behavior was michael@0: controllable on a system-wide level via the vm.allow_data_exec sysctl, which michael@0: is set by default to 1. The bit with value 1 (set by default) allows code michael@0: execution on data pages for 32-bit processes, and the bit with value 2 michael@0: (clear by default) does the same for 64-bit processes. michael@0: michael@0: In Mac OS X 10.7, executables can "opt in" to having hardware protection michael@0: against code execution on data pages applied. This is done by setting a new michael@0: bit in the |flags| field of an executable's |mach_header|. When michael@0: MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless michael@0: of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c michael@0: override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile. michael@0: michael@0: The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when michael@0: producing executables, provided that -allow_heap_execute is not specified michael@0: at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and michael@0: later) have this ability. See ld64-123.2.1/src/ld/Options.cpp michael@0: Options::reconfigureDefaults() and michael@0: ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp michael@0: HeaderAndLoadCommandsAtom::flags(). michael@0: michael@0: This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is michael@0: intended for use with executables produced by a linker that predates Apple's michael@0: modifications to set this bit itself. It is also useful for setting this bit michael@0: for non-i386 executables, including x86_64 executables. Apple's linker only michael@0: sets it for 32-bit i386 executables, presumably under the assumption that michael@0: the value of vm.allow_data_exec is set in stone. However, if someone were to michael@0: change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run michael@0: without hardware protection against code execution on data pages. This michael@0: script can set the bit for x86_64 executables, guaranteeing that they run michael@0: with appropriate protection even when vm.allow_data_exec has been tampered michael@0: with. michael@0: michael@0: POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION michael@0: michael@0: This script sets or clears the MH_PIE bit in an executable's Mach-O header, michael@0: enabling or disabling position independence on Mac OS X 10.5 and later. michael@0: Processes running position-independent executables have varying levels of michael@0: ASLR protection depending on the OS release. The main executable's load michael@0: address, shared library load addresess, and the heap and stack base michael@0: addresses may be randomized. Position-independent executables are produced michael@0: by supplying the -pie flag to the linker (or defeated by supplying -no_pie). michael@0: Executables linked with a deployment target of 10.7 or higher have PIE on michael@0: by default. michael@0: michael@0: This script is never strictly needed during the build to enable PIE, as all michael@0: linkers used are recent enough to support -pie. However, it's used to michael@0: disable the PIE bit as needed on already-linked executables. michael@0: """ michael@0: michael@0: import optparse michael@0: import os michael@0: import struct michael@0: import sys michael@0: michael@0: michael@0: # michael@0: FAT_MAGIC = 0xcafebabe michael@0: FAT_CIGAM = 0xbebafeca michael@0: michael@0: # michael@0: MH_MAGIC = 0xfeedface michael@0: MH_CIGAM = 0xcefaedfe michael@0: MH_MAGIC_64 = 0xfeedfacf michael@0: MH_CIGAM_64 = 0xcffaedfe michael@0: MH_EXECUTE = 0x2 michael@0: MH_PIE = 0x00200000 michael@0: MH_NO_HEAP_EXECUTION = 0x01000000 michael@0: michael@0: michael@0: class MachOError(Exception): michael@0: """A class for exceptions thrown by this module.""" michael@0: michael@0: pass michael@0: michael@0: michael@0: def CheckedSeek(file, offset): michael@0: """Seeks the file-like object at |file| to offset |offset| and raises a michael@0: MachOError if anything funny happens.""" michael@0: michael@0: file.seek(offset, os.SEEK_SET) michael@0: new_offset = file.tell() michael@0: if new_offset != offset: michael@0: raise MachOError, \ michael@0: 'seek: expected offset %d, observed %d' % (offset, new_offset) michael@0: michael@0: michael@0: def CheckedRead(file, count): michael@0: """Reads |count| bytes from the file-like |file| object, raising a michael@0: MachOError if any other number of bytes is read.""" michael@0: michael@0: bytes = file.read(count) michael@0: if len(bytes) != count: michael@0: raise MachOError, \ michael@0: 'read: expected length %d, observed %d' % (count, len(bytes)) michael@0: michael@0: return bytes michael@0: michael@0: michael@0: def ReadUInt32(file, endian): michael@0: """Reads an unsinged 32-bit integer from the file-like |file| object, michael@0: treating it as having endianness specified by |endian| (per the |struct| michael@0: module), and returns it as a number. Raises a MachOError if the proper michael@0: length of data can't be read from |file|.""" michael@0: michael@0: bytes = CheckedRead(file, 4) michael@0: michael@0: (uint32,) = struct.unpack(endian + 'I', bytes) michael@0: return uint32 michael@0: michael@0: michael@0: def ReadMachHeader(file, endian): michael@0: """Reads an entire |mach_header| structure () from the michael@0: file-like |file| object, treating it as having endianness specified by michael@0: |endian| (per the |struct| module), and returns a 7-tuple of its members michael@0: as numbers. Raises a MachOError if the proper length of data can't be read michael@0: from |file|.""" michael@0: michael@0: bytes = CheckedRead(file, 28) michael@0: michael@0: magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \ michael@0: struct.unpack(endian + '7I', bytes) michael@0: return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags michael@0: michael@0: michael@0: def ReadFatArch(file): michael@0: """Reads an entire |fat_arch| structure () from the file-like michael@0: |file| object, treating it as having endianness specified by |endian| michael@0: (per the |struct| module), and returns a 5-tuple of its members as numbers. michael@0: Raises a MachOError if the proper length of data can't be read from michael@0: |file|.""" michael@0: michael@0: bytes = CheckedRead(file, 20) michael@0: michael@0: cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes) michael@0: return cputype, cpusubtype, offset, size, align michael@0: michael@0: michael@0: def WriteUInt32(file, uint32, endian): michael@0: """Writes |uint32| as an unsinged 32-bit integer to the file-like |file| michael@0: object, treating it as having endianness specified by |endian| (per the michael@0: |struct| module).""" michael@0: michael@0: bytes = struct.pack(endian + 'I', uint32) michael@0: assert len(bytes) == 4 michael@0: michael@0: file.write(bytes) michael@0: michael@0: michael@0: def HandleMachOFile(file, options, offset=0): michael@0: """Seeks the file-like |file| object to |offset|, reads its |mach_header|, michael@0: and rewrites the header's |flags| field if appropriate. The header's michael@0: endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported michael@0: (mach_header and mach_header_64). Raises MachOError if used on a header that michael@0: does not have a known magic number or is not of type MH_EXECUTE. The michael@0: MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field michael@0: according to |options| and written to |file| if any changes need to be made. michael@0: If already set or clear as specified by |options|, nothing is written.""" michael@0: michael@0: CheckedSeek(file, offset) michael@0: magic = ReadUInt32(file, '<') michael@0: if magic == MH_MAGIC or magic == MH_MAGIC_64: michael@0: endian = '<' michael@0: elif magic == MH_CIGAM or magic == MH_CIGAM_64: michael@0: endian = '>' michael@0: else: michael@0: raise MachOError, \ michael@0: 'Mach-O file at offset %d has illusion of magic' % offset michael@0: michael@0: CheckedSeek(file, offset) michael@0: magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \ michael@0: ReadMachHeader(file, endian) michael@0: assert magic == MH_MAGIC or magic == MH_MAGIC_64 michael@0: if filetype != MH_EXECUTE: michael@0: raise MachOError, \ michael@0: 'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \ michael@0: (offset, filetype) michael@0: michael@0: original_flags = flags michael@0: michael@0: if options.no_heap_execution: michael@0: flags |= MH_NO_HEAP_EXECUTION michael@0: else: michael@0: flags &= ~MH_NO_HEAP_EXECUTION michael@0: michael@0: if options.pie: michael@0: flags |= MH_PIE michael@0: else: michael@0: flags &= ~MH_PIE michael@0: michael@0: if flags != original_flags: michael@0: CheckedSeek(file, offset + 24) michael@0: WriteUInt32(file, flags, endian) michael@0: michael@0: michael@0: def HandleFatFile(file, options, fat_offset=0): michael@0: """Seeks the file-like |file| object to |offset| and loops over its michael@0: |fat_header| entries, calling HandleMachOFile for each.""" michael@0: michael@0: CheckedSeek(file, fat_offset) michael@0: magic = ReadUInt32(file, '>') michael@0: assert magic == FAT_MAGIC michael@0: michael@0: nfat_arch = ReadUInt32(file, '>') michael@0: michael@0: for index in xrange(0, nfat_arch): michael@0: cputype, cpusubtype, offset, size, align = ReadFatArch(file) michael@0: assert size >= 28 michael@0: michael@0: # HandleMachOFile will seek around. Come back here after calling it, in michael@0: # case it sought. michael@0: fat_arch_offset = file.tell() michael@0: HandleMachOFile(file, options, offset) michael@0: CheckedSeek(file, fat_arch_offset) michael@0: michael@0: michael@0: def main(me, args): michael@0: parser = optparse.OptionParser('%prog [options] ') michael@0: parser.add_option('--executable-heap', action='store_false', michael@0: dest='no_heap_execution', default=True, michael@0: help='Clear the MH_NO_HEAP_EXECUTION bit') michael@0: parser.add_option('--no-pie', action='store_false', michael@0: dest='pie', default=True, michael@0: help='Clear the MH_PIE bit') michael@0: (options, loose_args) = parser.parse_args(args) michael@0: if len(loose_args) != 1: michael@0: parser.print_usage() michael@0: return 1 michael@0: michael@0: executable_path = loose_args[0] michael@0: executable_file = open(executable_path, 'rb+') michael@0: michael@0: magic = ReadUInt32(executable_file, '<') michael@0: if magic == FAT_CIGAM: michael@0: # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian. michael@0: HandleFatFile(executable_file, options) michael@0: elif magic == MH_MAGIC or magic == MH_CIGAM or \ michael@0: magic == MH_MAGIC_64 or magic == MH_CIGAM_64: michael@0: HandleMachOFile(executable_file, options) michael@0: else: michael@0: raise MachOError, '%s is not a Mach-O or fat file' % executable_file michael@0: michael@0: executable_file.close() michael@0: return 0 michael@0: michael@0: michael@0: if __name__ == '__main__': michael@0: sys.exit(main(sys.argv[0], sys.argv[1:]))