Closed Bug 1290675 Opened 6 years ago Closed 6 years ago

Make sure ASLR is active on macOS


(Core :: Security, defect)

Not set





(Reporter: evilpie, Unassigned)



We might be missing ASLR and other possible compile time hardening options on macOS. (

2:56 AM <•dveditz> evilpie: saw that, concerns me too. I see lots of FIXED bugs about turning on ASLR
2:56 AM <•dveditz> but on Mac (which is what I've got atm) otool -h seems to indicate we do not have it turned on
2:57 AM <•dveditz> compared to Chrome we're missing PIE and MH_NO_HEAP_EXECUTION  (!!)
That's surprising, back when I added the --enable-pie flag for configure, this is what I wrote:

# On OSX, the linker defaults to building PIE programs when targetting OSX 10.7+,
# but not when targetting OSX < 10.7. OSX < 10.7 doesn't support running PIE
# programs, so as long as support for OSX 10.6 is kept, we can't build PIE.
# Even after dropping 10.6 support, MOZ_PIE would not be useful since it's the
# default (and clang says the -pie option is not used).

That is, we couldn't use PIE because of 10.6, but now we target something bigger than 10.6, the compiler/linker should already be defaulting to PIE... except if its default changed since the time I wrote that.
And I just realized we only actively dropped 10.6 support in 49 (bug 1269790), where PIE *is* enabled.
Closed: 6 years ago
Resolution: --- → WORKSFORME
Duplicate of this bug: 758355
You need to log in before you can comment on or make changes to this bug.