Disabling stack protection on OSX 10.11


Not sure if this is the right place to ask this question but I'll try anyway.

I can't seem to disable the stack protection on OSX 10.11 using clang 7.0.0.

$ clang --version
Apple LLVM version 7.0.0 (clang-700.0.72)
Target: x86_64-apple-darwin15.0.0
Thread model: posix

Compiling with:

gcc -o a a.c -fno-stack-protector -D_FORTIFY_SOURCE=0 -fno-sanitize=memory

I've also used change_mach_o_flags.py to set the heap executable and am also setting:

sysctl -w vm.allow_stack_exec = 1

If I then write a test program that handles a buffer in an unsafe way, I can overflow it and get rip to jump to say, the address of an environment variable, but as soon as that happens the system segfaults as if it's being caught by stack protection.

Not sure if this output from vmmap from a running instance of the compiled program is useful:

# vmmap 49625 |grep -i stack
STACK GUARD 00007fff58157000-00007fff5b957000 [ 56.0M] ---/rwx SM=NUL stack guard for thread 0
Stack 00007fff5b957000-00007fff5c157000 [ 8192K] rw-/rwx SM=PRV thread 0
Stack 8192K 2

Is there some new kernel-based stack protection that can't be turned off in 10.11?

Any help much appreciated.