Deal with ASLR on Mac OS

[GoogleCodeExporter]

ASLR is bound to MH_PIE bit in the Mach-O header.
If a binary is built with --no_pie, ASLR is off and there's nothing to worry 
about.

For a program with MH_PIE bit set ASLR can be disabled at runtime:
 -- on Snow Leopard -- by setting DYLD_NO_PIE=1
 -- on Lion -- by passing the _POSIX_SPAWN_DISABLE_ASLR flag to posix_spawnattr_setflags (see http://reverse.put.as/2011/08/11/how-gdb-disables-aslr-in-mac-os-x-lion/)

So there are several ways of dealing with ASLR:
 1. Always build with --no_pie if -faddress-sanitizer is on.
 2. At runtime check that the code segments do not interleave with the shadow and:
   2.1 Print an error message that tells to set DYLD_NO_PIE=1 on 10.6 or build with --no_pie on 10.7
   2.2 Do fork+exec to start a new process with ASLR disabled

Original issue reported on code.google.com by ramosian.glider@gmail.com on 18 Jan 2012 at 1:21

[GoogleCodeExporter]

Does this mean that on 10.7 the only two choices are --no_pie and fork+exec? 

Original comment by konstant...@gmail.com on 18 Jan 2012 at 5:45

[GoogleCodeExporter]

Exactly.

Original comment by ramosian.glider@gmail.com on 19 Jan 2012 at 8:06

[GoogleCodeExporter]

I completely forgot about another method suggested by Mark Mentovai that works 
reliably on all OS X versions. One can unset the MH_PIE bit in an already 
linked executable, using e.g. this script: 
http://src.chromium.org/viewvc/chrome/trunk/src/build/mac/change_mach_o_flags.py
?view=markup

This method is less convenient to integrate with every build process. To do 
that we'll need to make Clang run this script after every ld invocation, which 
is in fact similar to adding the --no_pie flag.

Original comment by ramosian.glider@gmail.com on 19 Jan 2012 at 8:32

[GoogleCodeExporter]

I'm now considering the following roadmap:

1. Introduce the disable_aslr runtime flag that will tell ASan to do fork+exec. 
Set disable_aslr=0 on Snow Leopard and disable_aslr=1 on Lion by default.
2. If MH_PIE bit is set and any of the current mappings is going to intersect 
with the shadow, do the following:
 -- if disable_aslr is 0, print a warning and die;
 -- if disable_aslr is 1, fix ASLR by doing fork+exec
3. Make sure Clang doesn't set MH_PIE for executables built with 
-faddress-sanitizer.

Step 1 is mainly needed to start running Chrome on Lion without additional GYP 
hackery. We can also skip Step 2 and pass to Step 3 if we finally want to get 
rid of disable_aslr.

Original comment by ramosian.glider@gmail.com on 1 Feb 2012 at 10:57

• Added labels: OpSys-OSX

[GoogleCodeExporter]

I've spent some time playing with ASLR on Lion and here are two conclusions:
 -- doing posix_spawn with POSIX_SPAWN_SETEXEC and _POSIX_SPAWN_DISABLE_ASLR is equal to exec() without fork() and should disable ASLR as well;
 -- I haven't managed to trigger any ASLR problems on Lion for the binaries built with -fpie. This is probably because ASLR is much smarter on Lion.

Attached is the patch that disables ASLR on Lion, but I'm not going to commit 
it until I notice any problems with ASLR on Lion.

Original comment by ramosian.glider@gmail.com on 1 Feb 2012 at 2:21

Attachments:

• asan_mac_aslr.patch

[GoogleCodeExporter]

As Snow Leopard will be obsolete soon, the issue becomes less (if at all) 
important.
The reliable workaround is to set DYLD_NO_PIE=1.

Original comment by ramosian.glider@gmail.com on 29 Oct 2012 at 11:11

• Added labels: Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Do we still need to support 10.6? 
Can we close this bug? 

Original comment by konstant...@gmail.com on 18 Feb 2013 at 7:15

[GoogleCodeExporter]

We still need to support 10.6 for some time, yet we don't want to fix ASLR on 
10.6.
Will reopen if we ever have problems with newer OS X versions.

Original comment by ramosian.glider@gmail.com on 18 Feb 2013 at 11:13

• Changed state: WontFix

[GoogleCodeExporter]

Adding Project:AddressSanitizer as part of GitHub migration.

Original comment by ramosian.glider@gmail.com on 30 Jul 2015 at 9:12

• Added labels: ProjectAddressSanitizer