Stack Execution Release Notes for Mac OS X v10.5

Restrictions on Executing from Data Areas

Beginning in Leopard, there is a change that affects 64-bit programs that dynamically generate and execute code in their address space. In prior releases, programs could generally execute from any part of their address space that was readable. The only exception to this rule was in Tiger on Intel systems regarding the stack: execution from any portion of the stack was disallowed unless the -allow_stack_execute option was given to ld(1) or the protections were changed on the stack region to allow execution via the mprotect(2) system call.

In Leopard, the restrictions on executing from data areas in 64-bit programs are expanding to increase security. Not only will attempts to execute from the stack area be disallowed, but execution from all other areas of a process's address space will be disallowed unless they are explicitly marked as executable. 64-bit programs that attempt to execute from their data areas without first marking them as executable will receive a SIGBUS signal. This applies to both Intel and PowerPC based systems. This change only affects programs that have been compiled for 64-bit. Existing 32-bit programs are unaffected and they will continue to run without changes. Similarly, any new programs compiled for 32-bit and any old 32-bit programs that are recompiled under Leopard will also be unaffected.

By default, the instruction segment in an a.out file is marked as executable by ld, so programs that don't dynamically generate code and don't otherwise need to execute from their data areas require no changes. Note that the permissions on the segments in the a.out can be controlled with the -segprot option to ld. Also, the -allow_stack_execution option continues to be supported.

64-bit programs that generate code in dynamically allocated memory (via malloc, for example) must use the mprotect system call to add execute permission (specified with PROT_EXEC) to those pages before the program attempts to execute from them. If this is not done, the program will receive a SIGBUS signal when execution is attempted. To maximize security, programs should only add execute permission to those pages from which the program actually needs to execute.





© 2007 Apple Inc. All Rights Reserved. (Last updated: 2007-07-17)


Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.