Make sure ASLR is active on macOS

RESOLVED WORKSFORME

Status

()

Core
Security
RESOLVED WORKSFORME
a year ago
a year ago

People

(Reporter: evilpie, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
We might be missing ASLR and other possible compile time hardening options on macOS. (https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-programs-and-may-revolutionize-software-in-the-process/)

2:56 AM <•dveditz> evilpie: saw that, concerns me too. I see lots of FIXED bugs about turning on ASLR
2:56 AM <•dveditz> but on Mac (which is what I've got atm) otool -h seems to indicate we do not have it turned on
2:57 AM <•dveditz> compared to Chrome we're missing PIE and MH_NO_HEAP_EXECUTION  (!!)
That's surprising, back when I added the --enable-pie flag for configure, this is what I wrote:

# On OSX, the linker defaults to building PIE programs when targetting OSX 10.7+,
# but not when targetting OSX < 10.7. OSX < 10.7 doesn't support running PIE
# programs, so as long as support for OSX 10.6 is kept, we can't build PIE.
# Even after dropping 10.6 support, MOZ_PIE would not be useful since it's the
# default (and clang says the -pie option is not used).

That is, we couldn't use PIE because of 10.6, but now we target something bigger than 10.6, the compiler/linker should already be defaulting to PIE... except if its default changed since the time I wrote that.
And I just realized we only actively dropped 10.6 support in 49 (bug 1269790), where PIE *is* enabled.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
Duplicate of this bug: 758355
You need to log in before you can comment on or make changes to this bug.