From patchwork Sun Jan 17 17:10:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1427817 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=oLX7idFN; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=o6FwLzbK; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DJhVJ1hz7z9sVk for ; Mon, 18 Jan 2021 04:19:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=kKGmrItJ545LHmZuCaFc0HZ6TGzlxuzmI6L+Aa1m4CY=; b=oLX7idFN+nJvwJRcAGaAzD1Zh BjdZWkM3e0XjjNP6u4MW9Cwv/oPk9lQkbnrPVLk+oWSHCIGGZqgDp18OhUJNnJAFSMwSHAi+EX/5e kLqntRYfkqbmZNxV1SbcL9nqs9HgvB0jDEAxpa1S3Cc0OEb10L5eRyGqTfcK9zZVTW8alb5ylvDyx fBNkL3R7VWSI7WHMgQsUrTsmp2A4ApNPzdFI9CnVeC2GYdaTHYg1nxsfLA0515ISVPMIVWkS20/PO 903OCBOLxhhIR+5/5gtrIQC36nYaSG2eSVtJZNN3DlaH9RaQbSsoZXPqV0Ao7QfODUbHQuGNr1Pu+ EqtgvqzJw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l1Bft-0000tu-0t; Sun, 17 Jan 2021 17:17:13 +0000 Received: from mout-p-102.mailbox.org ([2001:67c:2050::465:102]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l1Bfo-0000sm-F9 for openwrt-devel@lists.openwrt.org; Sun, 17 Jan 2021 17:17:10 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4DJhJf23JCzQlKq; Sun, 17 Jan 2021 18:10:58 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1610903454; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6OWWy0VcOVWnLiojc287AYfkJnCF71rXbSLAyu7BHl0=; b=o6FwLzbKK6WSjS6AhX2RZjt23Hh489cPdFBLRAC+oC61vTODIv7VBWv3sKttmPa64RmvX6 ZLcfWhYaJGSQxMsR8YB+ekqlUc1g6Socu2jVv0QfWyrs6jH92Tp8JD4x4Sps0kVh1+aT9L aZVEKQMOgJiZ47ky3QCo/5pCtYeOMXq3U0zajn5PM0zy3JRYTobYXKhucENnc8SCisXIj5 GgLWTBvD4DFYuvgfEhnKeYEr2i1mAalwiIgn+1eZhEot7x+qkkJSOVIjhVYKZCl6LgfWE5 fWkYe0KLFONaYo6J1nUmsyOWgASIlllr5hPtucGus71l3J56KgR6oUgZCs3/+g== Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id k5cN_Sox7KYO; Sun, 17 Jan 2021 18:10:53 +0100 (CET) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [RFC PATCH 2/2] toolchain: Allow building with ASAN and UBSAN Date: Sun, 17 Jan 2021 18:10:36 +0100 Message-Id: <20210117171036.30931-3-hauke@hauke-m.de> In-Reply-To: <20210117171036.30931-1-hauke@hauke-m.de> References: <20210117171036.30931-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -7.30 / 15.00 / 15.00 X-Rspamd-Queue-Id: 2D6C2185D X-Rspamd-UID: fa2e8a X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210117_121708_796446_34E0276F X-CRM114-Status: GOOD ( 17.89 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:67c:2050:0:0:0:465:102 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows to build all user space with Address sanitizer and undefined behavior sanitizer. It will automatically add this to the TRAGET_CFLAGS and TARGET_LDFLAGS of every user space component. This is only working with gcc 10.X, because the system init process will mount /proc after it was started and ASAN needs it already earlier and fails in the versions provided by older compilers. Signed-off-by: Hauke Mehrtens --- config/Config-build.in | 22 ++++++++++++++++++++++ include/hardening.mk | 14 ++++++++++++++ include/package-defaults.mk | 2 +- include/toolchain-build.mk | 2 ++ package/boot/grub2/Makefile | 2 ++ package/libs/toolchain/Makefile | 2 ++ package/network/services/dropbear/Makefile | 2 ++ package/utils/busybox/Makefile | 2 ++ 8 files changed, 47 insertions(+), 1 deletion(-) diff --git a/config/Config-build.in b/config/Config-build.in index 0aaf6b31c38b..7ecef388322e 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -388,4 +388,26 @@ menu "Global build settings" endchoice + config PKG_SANITIZER_ADDRESS + bool "Enable Address Sanitizer" + depends on USE_GLIBC + select PACKAGE_libasan + select USE_SANITIZER_ADDRESS + help + This will build all user space applications with the Address Sanitizer enabled + + config PKG_SANITIZER_UNDEFINED_BEHAVIOR + bool "Enable undefined behavior Sanitizer" + depends on USE_GLIBC + select PACKAGE_libubsan + select USE_SANITIZER_UNDEFINED_BEHAVIOR + help + This will build all user space applications with the undefined behavior Sanitizer enabled + + config USE_SANITIZER_ADDRESS + bool + + config USE_SANITIZER_UNDEFINED_BEHAVIOR + bool + endmenu diff --git a/include/hardening.mk b/include/hardening.mk index 4e49e6b1b904..be2271bd8983 100644 --- a/include/hardening.mk +++ b/include/hardening.mk @@ -11,6 +11,8 @@ PKG_ASLR_PIE_REGULAR ?= 0 PKG_SSP ?= 1 PKG_FORTIFY_SOURCE ?= 1 PKG_RELRO ?= 1 +PKG_SANITIZER_ADDRESS ?= 1 +PKG_SANITIZER_UNDEFINED_BEHAVIOR ?= 1 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1) @@ -61,4 +63,16 @@ ifdef CONFIG_PKG_RELRO_FULL TARGET_LDFLAGS += -znow -zrelro endif endif +ifdef CONFIG_PKG_SANITIZER_ADDRESS + ifeq ($(strip $(PKG_SANITIZER_ADDRESS)),1) + TARGET_CFLAGS += -fsanitize=address + TARGET_LDFLAGS += -fsanitize=address + endif +endif +ifdef CONFIG_PKG_SANITIZER_UNDEFINED_BEHAVIOR + ifeq ($(strip $(PKG_SANITIZER_UNDEFINED_BEHAVIOR)),1) + TARGET_CFLAGS += -fsanitize=undefined + TARGET_LDFLAGS += -fsanitize=undefined + endif +endif diff --git a/include/package-defaults.mk b/include/package-defaults.mk index 2a04bc17e904..1e261db4eb0f 100644 --- a/include/package-defaults.mk +++ b/include/package-defaults.mk @@ -5,7 +5,7 @@ # See /LICENSE for more information. # -PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +USE_SANITIZER_ADDRESS:libasan +USE_SANITIZER_UNDEFINED_BEHAVIOR:libubsan ifneq ($(PKG_NAME),toolchain) PKG_FIXUP_DEPENDS = $(if $(filter kmod-%,$(1)),$(2),$(PKG_DEFAULT_DEPENDS) $(filter-out $(PKG_DEFAULT_DEPENDS),$(2))) diff --git a/include/toolchain-build.mk b/include/toolchain-build.mk index 35d8c9380ec1..92f618a28d4e 100644 --- a/include/toolchain-build.mk +++ b/include/toolchain-build.mk @@ -10,6 +10,8 @@ override CONFIG_AUTOREMOVE= HOST_BUILD_PREFIX:=$(TOOLCHAIN_DIR) BUILD_DIR_HOST:=$(BUILD_DIR_TOOLCHAIN) +PKG_SANITIZER_ADDRESS:=0 +PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0 include $(INCLUDE_DIR)/host-build.mk include $(INCLUDE_DIR)/hardening.mk diff --git a/package/boot/grub2/Makefile b/package/boot/grub2/Makefile index 46e3597cc242..59a3e7ee5890 100644 --- a/package/boot/grub2/Makefile +++ b/package/boot/grub2/Makefile @@ -22,6 +22,8 @@ PKG_BUILD_DEPENDS:=grub2/host PKG_ASLR_PIE:=0 PKG_SSP:=0 +PKG_SANITIZER_ADDRESS:=0 +PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0 PKG_FLAGS:=nonshared diff --git a/package/libs/toolchain/Makefile b/package/libs/toolchain/Makefile index 52a4cda19f6a..4f97df65a8c4 100644 --- a/package/libs/toolchain/Makefile +++ b/package/libs/toolchain/Makefile @@ -13,6 +13,8 @@ PKG_MAINTAINER:=Felix Fietkau PKG_LICENSE:=GPL-3.0-with-GCC-exception PKG_FLAGS:=hold essential nonshared +PKG_SANITIZER_ADDRESS:=0 +PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0 include $(INCLUDE_DIR)/package.mk diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8bbb26f829be..171860e67a16 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -23,6 +23,8 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server PKG_BUILD_PARALLEL:=1 PKG_ASLR_PIE_REGULAR:=1 +PKG_SANITIZER_ADDRESS:=0 +PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0 PKG_USE_MIPS16:=0 PKG_FIXUP:=autoreconf PKG_FLAGS:=nonshared diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index e62cef071379..8a9d1a166260 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -20,6 +20,8 @@ PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam PKG_BUILD_PARALLEL:=1 PKG_CHECK_FORMAT_SECURITY:=0 +PKG_SANITIZER_ADDRESS:=0 +PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0 #Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc. PKG_ASLR_PIE:=0