Give plug-in processes an executable heap and disable PIE/ASLR for Native

build/mac/change_mach_o_flags.py

 #!/usr/bin/python
 
 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# Usage: make_heap_non_executable.py <executable_path>
+# Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] <executable_path>
 #
 # Arranges for the executable at |executable_path| to have its data (heap)
-# pages protected to prevent execution on Mac OS X 10.7 ("Lion").
+# pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have
+# the PIE (position independent executable) bit set to enable ASLR (address
+# space layout randomization). With --executable-heap or --no-pie, the
+# respective bits are cleared instead of set, making the heap executable or
+# disabling PIE/ASLR.
+#
+# This script is able to operate on thin (single-architecture) Mach-O files
+# and fat (universal, multi-architecture) files. When operating on fat files,
+# it will set or clear the bits for each architecture contained therein.
+#
+# NON-EXECUTABLE HEAP
 #
 # Traditionally in Mac OS X, 32-bit processes did not have data pages set to
 # prohibit execution. Although user programs could call mprotect and
 # mach_vm_protect to deny execution of code in data pages, the kernel would
 # silently ignore such requests without updating the page tables, and the
 # hardware would happily execute code on such pages. 64-bit processes were
 # always given proper hardware protection of data pages. This behavior was
 # controllable on a system-wide level via the vm.allow_data_exec sysctl, which
 # is set by default to 1. The bit with value 1 (set by default) allows code
 # execution on data pages for 32-bit processes, and the bit with value 2
@@ skipping 19 matching lines @@
 # modifications to set this bit itself. It is also useful for setting this bit
 # for non-i386 executables, including x86_64 executables. Apple's linker only
 # sets it for 32-bit i386 executables, presumably under the assumption that
 # the value of vm.allow_data_exec is set in stone. However, if someone were to
 # change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run
 # without hardware protection against code execution on data pages. This
 # script can set the bit for x86_64 executables, guaranteeing that they run
 # with appropriate protection even when vm.allow_data_exec has been tampered
 # with.
 #
-# This script is able to operate on thin (single-architecture) Mach-O files
-# and fat (universal, multi-architecture) files. When operating on fat files,
-# it will set the MH_NO_HEAP_EXECUTION bit for each architecture contained
-# therein.
+# POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION
+#
+# This script sets or clears the MH_PIE bit in an executable's Mach-O header,
+# enabling or disabling position independence on Mac OS X 10.5 and later.
+# Processes running position-independent executables have varying levels of
+# ASLR protection depending on the OS release. The main executable's load
+# address, shared library load addresess, and the heap and stack base
+# addresses may be randomized. Position-independent executables are produced
+# by supplying the -pie flag to the linker (or defeated by supplying -no_pie).
+# Executables linked with a deployment target of 10.7 or higher have PIE on
+# by default.
+#
+# This script is never strictly needed during the build to enable PIE, as all
+# linkers used are recent enough to support -pie. However, it's used to
+# disable the PIE bit as needed on already-linked executables.
 
 
+import optparse
 import os
 import struct
 import sys
 
 
 # <mach-o/fat.h>
 FAT_MAGIC = 0xcafebabe
 FAT_CIGAM = 0xbebafeca
 
 # <mach-o/loader.h>
 MH_MAGIC = 0xfeedface
 MH_CIGAM = 0xcefaedfe
 MH_MAGIC_64 = 0xfeedfacf
 MH_CIGAM_64 = 0xcffaedfe
 MH_EXECUTE = 0x2
-MH_NO_HEAP_EXECUTION = 0x1000000
+MH_PIE = 0x00200000
+MH_NO_HEAP_EXECUTION = 0x01000000
 
 
 class MachOError(Exception):
   """A class for exceptions thrown by this module."""
 
   pass
 
 
 def CheckedSeek(file, offset):
   """Seeks the file-like object at |file| to offset |offset| and raises a
@@ skipping 61 matching lines @@
   """Writes |uint32| as an unsinged 32-bit integer to the file-like |file|
   object, treating it as having endianness specified by |endian| (per the
   |struct| module)."""
 
   bytes = struct.pack(endian + 'I', uint32)
   assert len(bytes) == 4
 
   file.write(bytes)
 
 
-def HandleMachOFile(file, offset=0):
+def HandleMachOFile(file, options, offset=0):
   """Seeks the file-like |file| object to |offset|, reads its |mach_header|,
   and rewrites the header's |flags| field if appropriate. The header's
   endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported
   (mach_header and mach_header_64). Raises MachOError if used on a header that
   does not have a known magic number or is not of type MH_EXECUTE. The
-  MH_NO_HEAP_EXECUTION is set in the |flags| field and written to |file| if
-  not already set. If already set, nothing is written."""
+  MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field
+  according to |options| and written to |file| if any changes need to be made.
+  If already set or clear as specified by |options|, nothing is written."""
 
   CheckedSeek(file, offset)
   magic = ReadUInt32(file, '<')
   if magic == MH_MAGIC or magic == MH_MAGIC_64:
     endian = '<'
   elif magic == MH_CIGAM or magic == MH_CIGAM_64:
     endian = '>'
   else:
     raise MachOError, \
           'Mach-O file at offset %d has illusion of magic' % offset
 
   CheckedSeek(file, offset)
   magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
       ReadMachHeader(file, endian)
   assert magic == MH_MAGIC or magic == MH_MAGIC_64
   if filetype != MH_EXECUTE:
     raise MachOError, \
           'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \
               (offset, filetype)
 
-  if not flags & MH_NO_HEAP_EXECUTION:
+  original_flags = flags
+
+  if options.no_heap_execution:
     flags |= MH_NO_HEAP_EXECUTION
+  else:
+    flags &= ~MH_NO_HEAP_EXECUTION
+
+  if options.pie:
+    flags |= MH_PIE
+  else:
+    flags &= ~MH_PIE
+
+  if flags != original_flags:
     CheckedSeek(file, offset + 24)
     WriteUInt32(file, flags, endian)
 
 
-def HandleFatFile(file, fat_offset=0):
+def HandleFatFile(file, options, fat_offset=0):
   """Seeks the file-like |file| object to |offset| and loops over its
   |fat_header| entries, calling HandleMachOFile for each."""
 
   CheckedSeek(file, fat_offset)
   magic = ReadUInt32(file, '>')
   assert magic == FAT_MAGIC
 
   nfat_arch = ReadUInt32(file, '>')
 
   for index in xrange(0, nfat_arch):
     cputype, cpusubtype, offset, size, align = ReadFatArch(file)
     assert size >= 28
 
     # HandleMachOFile will seek around. Come back here after calling it, in
     # case it sought.
     fat_arch_offset = file.tell()
-    HandleMachOFile(file, offset)
+    HandleMachOFile(file, options, offset)
     CheckedSeek(file, fat_arch_offset)
 
 
 def main(me, args):
-  if len(args) != 1:
-    print >>sys.stderr, 'usage: %s <executable_path>' % me
+  parser = optparse.OptionParser('%prog [options] <executable_path>')
+  parser.add_option('--executable-heap', action='store_false',
+                    dest='no_heap_execution', default=True,
+                    help='Clear the MH_NO_HEAP_EXECUTION bit')
+  parser.add_option('--no-pie', action='store_false',
+                    dest='pie', default=True,
+                    help='Clear the MH_PIE bit')
+  (options, loose_args) = parser.parse_args(args)
+  if len(loose_args) != 1:
+    parser.print_usage()
     return 1
 
-  executable_path = args[0]
+  executable_path = loose_args[0]
   executable_file = open(executable_path, 'rb+')
 
   magic = ReadUInt32(executable_file, '<')
   if magic == FAT_CIGAM:
     # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian.
-    HandleFatFile(executable_file)
+    HandleFatFile(executable_file, options)
   elif magic == MH_MAGIC or magic == MH_CIGAM or \
       magic == MH_MAGIC_64 or magic == MH_CIGAM_64:
-    HandleMachOFile(executable_file)
+    HandleMachOFile(executable_file, options)
   else:
     raise MachOError, '%s is not a Mach-O or fat file' % executable_file
 
   executable_file.close()
 
   return 0
 
 if __name__ == '__main__':
   sys.exit(main(sys.argv[0], sys.argv[1:]))