How GDB disables ASLR in Mac OS X Lion

This isn’t a rocket science post but more like some notes for future reference 😄.
Lion finally introduces full ASLR and GDB has the possibility to disable that feature when analyzing target binaries. A new GDB setting was added, disable-aslr, which allows to enable or disable this feature.

By default this feature appears to be enabled (I am just looking at GDB source code) and it’s set by the variable disable_aslr_flag configured at gdb/macosx/macosx-tdep.c source file. But this isn’t the place where the magic happens. That is located in gdb/fork-child.c file (well there’s a second version at macosx/macosx-nat-inferior.c).
A very rough draft of gdb workflow is something like this:

  1. Fork
  2. If we are the child process, drop privileges
  3. If we are the child process, use ptrace to “stop” the new process
  4. Exec the target
  5. Use again ptrace to resume the child
  6. Wait for breakpoint events

Step 4 in Apple’s GDB version tries to use posix_spawn instead of exec (or any of its variants) to launch the target. This allows to set some special attributes in the new process. One of the new attributes in Lion is _POSIX_SPAWN_DISABLE_ASLR. The name should be explicit about its purpose.

The piece of code that sets it in gdb/fork-child.c is:

            if (disable_aslr_flag)
              ps_flags |= _POSIX_SPAWN_DISABLE_ASLR;
            retval = posix_spawnattr_setflags(&attr, ps_flags);

If posix_spawn fails GDB will then try to execvp the target. At the kernel side, this is dealt with in posix_spawn() at bsd/kern/kern_exec.c:

                 * Disable ASLR for the spawned process.
                if (px_sa.psa_flags & _POSIX_SPAWN_DISABLE_ASLR)
                        OSBitOrAtomic(P_DISABLE_ASLR, &p->p_flag);
                 * Forcibly disallow execution from data pages for the spawned process
                 * even if it would otherwise be permitted by the architecture default.
                if (px_sa.psa_flags & _POSIX_SPAWN_ALLOW_DATA_EXEC)
                        imgp->ip_flags |= IMGPF_ALLOW_DATA_EXEC;

         * Disable ASLR during image activation.  This occurs either if the
         * _POSIX_SPAWN_DISABLE_ASLR attribute was found above or if
         * P_DISABLE_ASLR was inherited from the parent process.
        if (p->p_flag & P_DISABLE_ASLR)
                imgp->ip_flags |= IMGPF_DISABLE_ASLR;

And that’s it! A new flag added, processes spawned with that flag active and bye bye ASLR 😉.