[RFC PATCH 2/2] toolchain: Allow building with ASAN and UBSAN

Hauke Mehrtens hauke at hauke-m.de
Sun Jan 17 12:10:36 EST 2021 

This allows to build all user space with Address sanitizer and undefined
behavior sanitizer. It will automatically add this to the TRAGET_CFLAGS
and TARGET_LDFLAGS of every user space component.

This is only working with gcc 10.X, because the system init process will
mount /proc after it was started and ASAN needs it already earlier and
fails in the versions provided by older compilers.

Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 config/Config-build.in                     | 22 ++++++++++++++++++++++
 include/hardening.mk                       | 14 ++++++++++++++
 include/package-defaults.mk                |  2 +-
 include/toolchain-build.mk                 |  2 ++
 package/boot/grub2/Makefile                |  2 ++
 package/libs/toolchain/Makefile            |  2 ++
 package/network/services/dropbear/Makefile |  2 ++
 package/utils/busybox/Makefile             |  2 ++
 8 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/config/Config-build.in b/config/Config-build.in
index 0aaf6b31c38b..7ecef388322e 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -388,4 +388,26 @@ menu "Global build settings"
 
 	endchoice
 
+	config PKG_SANITIZER_ADDRESS
+		bool "Enable Address Sanitizer"
+		depends on USE_GLIBC
+		select PACKAGE_libasan
+		select USE_SANITIZER_ADDRESS
+		help
+		  This will build all user space applications with the Address Sanitizer enabled
+
+	config PKG_SANITIZER_UNDEFINED_BEHAVIOR
+		bool "Enable undefined behavior Sanitizer"
+		depends on USE_GLIBC
+		select PACKAGE_libubsan
+		select USE_SANITIZER_UNDEFINED_BEHAVIOR
+		help
+		  This will build all user space applications with the undefined behavior Sanitizer enabled
+
+	config USE_SANITIZER_ADDRESS
+		bool
+
+	config USE_SANITIZER_UNDEFINED_BEHAVIOR
+		bool
+
 endmenu
diff --git a/include/hardening.mk b/include/hardening.mk
index 4e49e6b1b904..be2271bd8983 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -11,6 +11,8 @@ PKG_ASLR_PIE_REGULAR ?= 0
 PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
+PKG_SANITIZER_ADDRESS ?= 1
+PKG_SANITIZER_UNDEFINED_BEHAVIOR ?= 1
 
 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
@@ -61,4 +63,16 @@ ifdef CONFIG_PKG_RELRO_FULL
     TARGET_LDFLAGS += -znow -zrelro
   endif
 endif
+ifdef CONFIG_PKG_SANITIZER_ADDRESS
+  ifeq ($(strip $(PKG_SANITIZER_ADDRESS)),1)
+    TARGET_CFLAGS += -fsanitize=address
+    TARGET_LDFLAGS += -fsanitize=address
+  endif
+endif
+ifdef CONFIG_PKG_SANITIZER_UNDEFINED_BEHAVIOR
+  ifeq ($(strip $(PKG_SANITIZER_UNDEFINED_BEHAVIOR)),1)
+    TARGET_CFLAGS += -fsanitize=undefined
+    TARGET_LDFLAGS += -fsanitize=undefined
+  endif
+endif
 
diff --git a/include/package-defaults.mk b/include/package-defaults.mk
index 2a04bc17e904..1e261db4eb0f 100644
--- a/include/package-defaults.mk
+++ b/include/package-defaults.mk
@@ -5,7 +5,7 @@
 # See /LICENSE for more information.
 #
 
-PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread
+PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +USE_SANITIZER_ADDRESS:libasan +USE_SANITIZER_UNDEFINED_BEHAVIOR:libubsan
 
 ifneq ($(PKG_NAME),toolchain)
   PKG_FIXUP_DEPENDS = $(if $(filter kmod-%,$(1)),$(2),$(PKG_DEFAULT_DEPENDS) $(filter-out $(PKG_DEFAULT_DEPENDS),$(2)))
diff --git a/include/toolchain-build.mk b/include/toolchain-build.mk
index 35d8c9380ec1..92f618a28d4e 100644
--- a/include/toolchain-build.mk
+++ b/include/toolchain-build.mk
@@ -10,6 +10,8 @@ override CONFIG_AUTOREMOVE=
 
 HOST_BUILD_PREFIX:=$(TOOLCHAIN_DIR)
 BUILD_DIR_HOST:=$(BUILD_DIR_TOOLCHAIN)
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/hardening.mk
diff --git a/package/boot/grub2/Makefile b/package/boot/grub2/Makefile
index 46e3597cc242..59a3e7ee5890 100644
--- a/package/boot/grub2/Makefile
+++ b/package/boot/grub2/Makefile
@@ -22,6 +22,8 @@ PKG_BUILD_DEPENDS:=grub2/host
 
 PKG_ASLR_PIE:=0
 PKG_SSP:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 PKG_FLAGS:=nonshared
 
diff --git a/package/libs/toolchain/Makefile b/package/libs/toolchain/Makefile
index 52a4cda19f6a..4f97df65a8c4 100644
--- a/package/libs/toolchain/Makefile
+++ b/package/libs/toolchain/Makefile
@@ -13,6 +13,8 @@ PKG_MAINTAINER:=Felix Fietkau <nbd at nbd.name>
 PKG_LICENSE:=GPL-3.0-with-GCC-exception
 
 PKG_FLAGS:=hold essential nonshared
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 include $(INCLUDE_DIR)/package.mk
 
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8bbb26f829be..171860e67a16 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -23,6 +23,8 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
 
 PKG_BUILD_PARALLEL:=1
 PKG_ASLR_PIE_REGULAR:=1
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 PKG_USE_MIPS16:=0
 PKG_FIXUP:=autoreconf
 PKG_FLAGS:=nonshared
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index e62cef071379..8a9d1a166260 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -20,6 +20,8 @@ PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998
 PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
 PKG_CHECK_FORMAT_SECURITY:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 #Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
 PKG_ASLR_PIE:=0
-- 
2.20.1

More information about the openwrt-devel mailing list