| OLD | NEW |
|---|
| (Empty) | |
| 1 #!/usr/bin/python |
| 2 |
| 3 # Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. |
| 6 |
| 7 # Usage: make_heap_non_executable.py <executable_path> |
| 8 # |
| 9 # Arranges for the executable at |executable_path| to have its data (heap) |
| 10 # pages protected to prevent execution on Mac OS X 10.7 ("Lion"). |
| 11 # |
| 12 # Traditionally in Mac OS X, 32-bit processes did not have data pages set to |
| 13 # prohibit execution. Although user programs could call mprotect and |
| 14 # mach_vm_protect to deny execution of code in data pages, the kernel would |
| 15 # silently ignore such requests without updating the page tables, and the |
| 16 # hardware would happily execute code on such pages. 64-bit processes were |
| 17 # always given proper hardware protection of data pages. This behavior was |
| 18 # controllable on a system-wide level via the vm.allow_data_exec sysctl, which |
| 19 # is set by default to 1. The bit with value 1 (set by default) allows code |
| 20 # execution on data pages for 32-bit processes, and the bit with value 2 |
| 21 # (clear by default) does the same for 64-bit processes. |
| 22 # |
| 23 # In Mac OS X 10.7, executables can "opt in" to having hardware protection |
| 24 # against code execution on data pages applied. This is done by setting a new |
| 25 # bit in the |flags| field of an executable's |mach_header|. When |
| 26 # MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless |
| 27 # of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c |
| 28 # override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile. |
| 29 # |
| 30 # The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when |
| 31 # producing executables, provided that -allow_heap_execute is not specified |
| 32 # at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and |
| 33 # later) have this ability. See ld64-123.2.1/src/ld/Options.cpp |
| 34 # Options::reconfigureDefaults() and |
| 35 # ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp |
| 36 # HeaderAndLoadCommandsAtom<A>::flags(). |
| 37 # |
| 38 # This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is |
| 39 # intended for use with executables produced by a linker that predates Apple's |
| 40 # modifications to set this bit itself. It is also useful for setting this bit |
| 41 # for non-i386 executables, including x86_64 executables. Apple's linker only |
| 42 # sets it for 32-bit i386 executables, presumably under the assumption that |
| 43 # the value of vm.allow_data_exec is set in stone. However, if someone were to |
| 44 # change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run |
| 45 # without hardware protection against code execution on data pages. This |
| 46 # script can set the bit for x86_64 executables, guaranteeing that they run |
| 47 # with appropriate protection even when vm.allow_data_exec has been tampered |
| 48 # with. |
| 49 # |
| 50 # This script is able to operate on thin (single-architecture) Mach-O files |
| 51 # and fat (universal, multi-architecture) files. When operating on fat files, |
| 52 # it will set the MH_NO_HEAP_EXECUTION bit for each architecture contained |
| 53 # therein. |
| 54 |
| 55 |
| 56 import os |
| 57 import struct |
| 58 import sys |
| 59 |
| 60 |
| 61 # <mach-o/fat.h> |
| 62 FAT_MAGIC = 0xcafebabe |
| 63 FAT_CIGAM = 0xbebafeca |
| 64 |
| 65 # <mach-o/loader.h> |
| 66 MH_MAGIC = 0xfeedface |
| 67 MH_CIGAM = 0xcefaedfe |
| 68 MH_MAGIC_64 = 0xfeedfacf |
| 69 MH_CIGAM_64 = 0xcffaedfe |
| 70 MH_EXECUTE = 0x2 |
| 71 MH_NO_HEAP_EXECUTION = 0x1000000 |
| 72 |
| 73 |
| 74 class MachOError(Exception): |
| 75 """A class for exceptions thrown by this module.""" |
| 76 |
| 77 pass |
| 78 |
| 79 |
| 80 def CheckedSeek(file, offset): |
| 81 """Seeks the file-like object at |file| to offset |offset| and raises a |
| 82 MachOError if anything funny happens.""" |
| 83 |
| 84 file.seek(offset, os.SEEK_SET) |
| 85 new_offset = file.tell() |
| 86 if new_offset != offset: |
| 87 raise MachOError, \ |
| 88 'seek: expected offset %d, observed %d' % (offset, new_offset) |
| 89 |
| 90 |
| 91 def CheckedRead(file, count): |
| 92 """Reads |count| bytes from the file-like |file| object, raising a |
| 93 MachOError if any other number of bytes is read.""" |
| 94 |
| 95 bytes = file.read(count) |
| 96 if len(bytes) != count: |
| 97 raise MachOError, \ |
| 98 'read: expected length %d, observed %d' % (count, len(bytes)) |
| 99 |
| 100 return bytes |
| 101 |
| 102 |
| 103 def ReadUInt32(file, endian): |
| 104 """Reads an unsinged 32-bit integer from the file-like |file| object, |
| 105 treating it as having endianness specified by |endian| (per the |struct| |
| 106 module), and returns it as a number. Raises a MachOError if the proper |
| 107 length of data can't be read from |file|.""" |
| 108 |
| 109 bytes = CheckedRead(file, 4) |
| 110 |
| 111 (uint32,) = struct.unpack(endian + 'I', bytes) |
| 112 return uint32 |
| 113 |
| 114 |
| 115 def ReadMachHeader(file, endian): |
| 116 """Reads an entire |mach_header| structure (<mach-o/loader.h>) from the |
| 117 file-like |file| object, treating it as having endianness specified by |
| 118 |endian| (per the |struct| module), and returns a 7-tuple of its members |
| 119 as numbers. Raises a MachOError if the proper length of data can't be read |
| 120 from |file|.""" |
| 121 |
| 122 bytes = CheckedRead(file, 28) |
| 123 |
| 124 magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \ |
| 125 struct.unpack(endian + '7I', bytes) |
| 126 return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags |
| 127 |
| 128 |
| 129 def ReadFatArch(file): |
| 130 """Reads an entire |fat_arch| structure (<mach-o/fat.h>) from the file-like |
| 131 |file| object, treating it as having endianness specified by |endian| |
| 132 (per the |struct| module), and returns a 5-tuple of its members as numbers. |
| 133 Raises a MachOError if the proper length of data can't be read from |
| 134 |file|.""" |
| 135 |
| 136 bytes = CheckedRead(file, 20) |
| 137 |
| 138 cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes) |
| 139 return cputype, cpusubtype, offset, size, align |
| 140 |
| 141 |
| 142 def WriteUInt32(file, uint32, endian): |
| 143 """Writes |uint32| as an unsinged 32-bit integer to the file-like |file| |
| 144 object, treating it as having endianness specified by |endian| (per the |
| 145 |struct| module).""" |
| 146 |
| 147 bytes = struct.pack(endian + 'I', uint32) |
| 148 assert len(bytes) == 4 |
| 149 |
| 150 file.write(bytes) |
| 151 |
| 152 |
| 153 def HandleMachOFile(file, offset=0): |
| 154 """Seeks the file-like |file| object to |offset|, reads its |mach_header|, |
| 155 and rewrites the header's |flags| field if appropriate. The header's |
| 156 endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported |
| 157 (mach_header and mach_header_64). Raises MachOError if used on a header that |
| 158 does not have a known magic number or is not of type MH_EXECUTE. The |
| 159 MH_NO_HEAP_EXECUTION is set in the |flags| field and written to |file| if |
| 160 not already set. If already set, nothing is written.""" |
| 161 |
| 162 CheckedSeek(file, offset) |
| 163 magic = ReadUInt32(file, '<') |
| 164 if magic == MH_MAGIC or magic == MH_MAGIC_64: |
| 165 endian = '<' |
| 166 elif magic == MH_CIGAM or magic == MH_CIGAM_64: |
| 167 endian = '>' |
| 168 else: |
| 169 raise MachOError, \ |
| 170 'Mach-O file at offset %d has illusion of magic' % offset |
| 171 |
| 172 CheckedSeek(file, offset) |
| 173 magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \ |
| 174 ReadMachHeader(file, endian) |
| 175 assert magic == MH_MAGIC or magic == MH_MAGIC_64 |
| 176 if filetype != MH_EXECUTE: |
| 177 raise MachOError, \ |
| 178 'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \ |
| 179 (offset, filetype) |
| 180 |
| 181 if not flags & MH_NO_HEAP_EXECUTION: |
| 182 flags |= MH_NO_HEAP_EXECUTION |
| 183 CheckedSeek(file, offset + 24) |
| 184 WriteUInt32(file, flags, endian) |
| 185 |
| 186 |
| 187 def HandleFatFile(file, fat_offset=0): |
| 188 """Seeks the file-like |file| object to |offset| and loops over its |
| 189 |fat_header| entries, calling HandleMachOFile for each.""" |
| 190 |
| 191 CheckedSeek(file, fat_offset) |
| 192 magic = ReadUInt32(file, '>') |
| 193 assert magic == FAT_MAGIC |
| 194 |
| 195 nfat_arch = ReadUInt32(file, '>') |
| 196 |
| 197 for index in xrange(0, nfat_arch): |
| 198 cputype, cpusubtype, offset, size, align = ReadFatArch(file) |
| 199 assert size >= 28 |
| 200 |
| 201 # HandleMachOFile will seek around. Come back here after calling it, in |
| 202 # case it sought. |
| 203 fat_arch_offset = file.tell() |
| 204 HandleMachOFile(file, offset) |
| 205 CheckedSeek(file, fat_arch_offset) |
| 206 |
| 207 |
| 208 def main(me, args): |
| 209 if len(args) != 1: |
| 210 print >>sys.stderr, 'usage: %s <executable_path>' % me |
| 211 return 1 |
| 212 |
| 213 executable_path = args[0] |
| 214 executable_file = open(executable_path, 'rb+') |
| 215 |
| 216 magic = ReadUInt32(executable_file, '<') |
| 217 if magic == FAT_CIGAM: |
| 218 # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian. |
| 219 HandleFatFile(executable_file) |
| 220 elif magic == MH_MAGIC or magic == MH_CIGAM or \ |
| 221 magic == MH_MAGIC_64 or magic == MH_CIGAM_64: |
| 222 HandleMachOFile(executable_file) |
| 223 else: |
| 224 raise MachOError, '%s is not a Mach-O or fat file' % executable_file |
| 225 |
| 226 executable_file.close() |
| 227 |
| 228 return 0 |
| 229 |
| 230 if __name__ == '__main__': |
| 231 sys.exit(main(sys.argv[0], sys.argv[1:])) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7608027:
Disable data page (heap) execution when running on Mac OS X 10.7 ("Lion") (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/