Replace --enable-asan with --enable-sanitizer
It is not possible to set the sanitizer flags at configure time.
This commit is contained in:
Todd C. Miller
19
INSTALL
19
INSTALL
@@ -160,16 +160,19 @@ Directory and file names:
|
|||||||
contain a fully-qualified path.
|
contain a fully-qualified path.
|
||||||
|
|
||||||
Compilation options:
|
Compilation options:
|
||||||
--enable-asan
|
--enable-sanitizer=[flags]
|
||||||
Enable the use of AddressSanitizer if supported by the
|
Enable the use of sanitizers such as AddressSanitizer and
|
||||||
compiler. This can help detect common problems such as
|
UndefinedBehaviorSanitizer if supported by the compiler.
|
||||||
buffer overflows and user after free bugs as well as behavior
|
This can help detect common problems such as buffer overflows
|
||||||
undefined by the C standard. For more information see
|
and use after free bugs as well as behavior not defined by
|
||||||
https://github.com/google/sanitizers/wiki/AddressSanitizer
|
the C standard. For more information see:
|
||||||
The following compiler flag is used: -fsanitize=address,undefined
|
https://github.com/google/sanitizers/wiki
|
||||||
|
|
||||||
|
If no flags are specified by the user, a default value of
|
||||||
|
"-fsanitize=address,undefined" will be used.
|
||||||
|
|
||||||
This option should only be used for testing and not in a
|
This option should only be used for testing and not in a
|
||||||
production environment. Due to AddressSanitizer's unchecked
|
production environment. Due to some sanitizers' unchecked
|
||||||
use of environment variables, it is trivial to exploit a
|
use of environment variables, it is trivial to exploit a
|
||||||
setuid root executable such as sudo.
|
setuid root executable such as sudo.
|
||||||
|
|
||||||
|
|||||||
66
configure
vendored
66
configure
vendored
@@ -1004,7 +1004,7 @@ enable_openssl
|
|||||||
enable_gcrypt
|
enable_gcrypt
|
||||||
enable_hardening
|
enable_hardening
|
||||||
enable_pie
|
enable_pie
|
||||||
enable_asan
|
enable_sanitizer
|
||||||
enable_leaks
|
enable_leaks
|
||||||
enable_poll
|
enable_poll
|
||||||
enable_admin_flag
|
enable_admin_flag
|
||||||
@@ -1705,7 +1705,7 @@ Optional Features:
|
|||||||
--disable-hardening Do not use compiler/linker exploit mitigation
|
--disable-hardening Do not use compiler/linker exploit mitigation
|
||||||
options
|
options
|
||||||
--enable-pie Build sudo as a position independent executable.
|
--enable-pie Build sudo as a position independent executable.
|
||||||
--enable-asan Build sudo with address sanitizer support.
|
--enable-sanitizer Build sudo with sanitizer support.
|
||||||
--disable-leaks Prevent some harmless memory leaks.
|
--disable-leaks Prevent some harmless memory leaks.
|
||||||
--disable-poll Use select() instead of poll().
|
--disable-poll Use select() instead of poll().
|
||||||
--enable-admin-flag Whether to create a Ubuntu-style admin flag file
|
--enable-admin-flag Whether to create a Ubuntu-style admin flag file
|
||||||
@@ -6897,10 +6897,16 @@ then :
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Check whether --enable-asan was given.
|
# Check whether --enable-sanitizer was given.
|
||||||
if test ${enable_asan+y}
|
if test ${enable_sanitizer+y}
|
||||||
then :
|
then :
|
||||||
enableval=$enable_asan;
|
enableval=$enable_sanitizer;
|
||||||
|
if test X"$enable_sanitizer" = X"yes"; then
|
||||||
|
enable_sanitizer="-fsanitize=address,undefined"
|
||||||
|
fi
|
||||||
|
|
||||||
|
else $as_nop
|
||||||
|
enable_sanitizer=no
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@@ -28339,16 +28345,17 @@ printf "%s\n" "$sudo_cv_var_hpux_ld_symbol_export" >&6; }
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test "$enable_asan" = "yes"; then
|
if test "$enable_sanitizer" != "no"; then
|
||||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=address -fsanitize=undefined" >&5
|
as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags__$enable_sanitizer" | $as_tr_sh`
|
||||||
printf %s "checking whether C compiler accepts -fsanitize=address -fsanitize=undefined... " >&6; }
|
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $enable_sanitizer" >&5
|
||||||
if test ${ax_cv_check_cflags___fsanitize_address__fsanitize_undefined+y}
|
printf %s "checking whether C compiler accepts $enable_sanitizer... " >&6; }
|
||||||
|
if eval test \${$as_CACHEVAR+y}
|
||||||
then :
|
then :
|
||||||
printf %s "(cached) " >&6
|
printf %s "(cached) " >&6
|
||||||
else $as_nop
|
else $as_nop
|
||||||
|
|
||||||
ax_check_save_flags=$CFLAGS
|
ax_check_save_flags=$CFLAGS
|
||||||
CFLAGS="$CFLAGS -fsanitize=address -fsanitize=undefined"
|
CFLAGS="$CFLAGS $enable_sanitizer"
|
||||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||||
/* end confdefs.h. */
|
/* end confdefs.h. */
|
||||||
|
|
||||||
@@ -28362,27 +28369,29 @@ main (void)
|
|||||||
_ACEOF
|
_ACEOF
|
||||||
if ac_fn_c_try_compile "$LINENO"
|
if ac_fn_c_try_compile "$LINENO"
|
||||||
then :
|
then :
|
||||||
ax_cv_check_cflags___fsanitize_address__fsanitize_undefined=yes
|
eval "$as_CACHEVAR=yes"
|
||||||
else $as_nop
|
else $as_nop
|
||||||
ax_cv_check_cflags___fsanitize_address__fsanitize_undefined=no
|
eval "$as_CACHEVAR=no"
|
||||||
fi
|
fi
|
||||||
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
|
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||||
CFLAGS=$ax_check_save_flags
|
CFLAGS=$ax_check_save_flags
|
||||||
fi
|
fi
|
||||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fsanitize_address__fsanitize_undefined" >&5
|
eval ac_res=\$$as_CACHEVAR
|
||||||
printf "%s\n" "$ax_cv_check_cflags___fsanitize_address__fsanitize_undefined" >&6; }
|
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
|
||||||
if test x"$ax_cv_check_cflags___fsanitize_address__fsanitize_undefined" = xyes
|
printf "%s\n" "$ac_res" >&6; }
|
||||||
|
if test x"`eval 'as_val=${'$as_CACHEVAR'};printf "%s\n" "$as_val"'`" = xyes
|
||||||
then :
|
then :
|
||||||
|
|
||||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fsanitize=address -fsanitize=undefined" >&5
|
as_CACHEVAR=`printf "%s\n" "ax_cv_check_ldflags__$enable_sanitizer" | $as_tr_sh`
|
||||||
printf %s "checking whether the linker accepts -fsanitize=address -fsanitize=undefined... " >&6; }
|
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts $enable_sanitizer" >&5
|
||||||
if test ${ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined+y}
|
printf %s "checking whether the linker accepts $enable_sanitizer... " >&6; }
|
||||||
|
if eval test \${$as_CACHEVAR+y}
|
||||||
then :
|
then :
|
||||||
printf %s "(cached) " >&6
|
printf %s "(cached) " >&6
|
||||||
else $as_nop
|
else $as_nop
|
||||||
|
|
||||||
ax_check_save_flags=$LDFLAGS
|
ax_check_save_flags=$LDFLAGS
|
||||||
LDFLAGS="$LDFLAGS -fsanitize=address -fsanitize=undefined"
|
LDFLAGS="$LDFLAGS $enable_sanitizer"
|
||||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||||
/* end confdefs.h. */
|
/* end confdefs.h. */
|
||||||
|
|
||||||
@@ -28396,21 +28405,22 @@ main (void)
|
|||||||
_ACEOF
|
_ACEOF
|
||||||
if ac_fn_c_try_link "$LINENO"
|
if ac_fn_c_try_link "$LINENO"
|
||||||
then :
|
then :
|
||||||
ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined=yes
|
eval "$as_CACHEVAR=yes"
|
||||||
else $as_nop
|
else $as_nop
|
||||||
ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined=no
|
eval "$as_CACHEVAR=no"
|
||||||
fi
|
fi
|
||||||
rm -f core conftest.err conftest.$ac_objext conftest.beam \
|
rm -f core conftest.err conftest.$ac_objext conftest.beam \
|
||||||
conftest$ac_exeext conftest.$ac_ext
|
conftest$ac_exeext conftest.$ac_ext
|
||||||
LDFLAGS=$ax_check_save_flags
|
LDFLAGS=$ax_check_save_flags
|
||||||
fi
|
fi
|
||||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined" >&5
|
eval ac_res=\$$as_CACHEVAR
|
||||||
printf "%s\n" "$ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined" >&6; }
|
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
|
||||||
if test x"$ax_cv_check_ldflags___fsanitize_address__fsanitize_undefined" = xyes
|
printf "%s\n" "$ac_res" >&6; }
|
||||||
|
if test x"`eval 'as_val=${'$as_CACHEVAR'};printf "%s\n" "$as_val"'`" = xyes
|
||||||
then :
|
then :
|
||||||
|
|
||||||
ASAN_LDFLAGS="-Wc,-fsanitize=address -Wc,-fsanitize=undefined"
|
ASAN_LDFLAGS="$enable_sanitizer"
|
||||||
ASAN_CFLAGS="-fsanitize=address -fsanitize=undefined"
|
ASAN_CFLAGS="$enable_sanitizer"
|
||||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5
|
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5
|
||||||
printf %s "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; }
|
printf %s "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; }
|
||||||
if test ${ax_cv_check_cflags___fno_omit_frame_pointer+y}
|
if test ${ax_cv_check_cflags___fno_omit_frame_pointer+y}
|
||||||
@@ -29112,8 +29122,8 @@ if test X"$with_noexec" != X"no"; then
|
|||||||
PROGS="${PROGS} sudo_noexec.la"
|
PROGS="${PROGS} sudo_noexec.la"
|
||||||
INSTALL_NOEXEC="install-noexec"
|
INSTALL_NOEXEC="install-noexec"
|
||||||
|
|
||||||
# Can't use asan with LD_PRELOAD
|
# Can't use sanitizers with LD_PRELOAD
|
||||||
if test "$enable_asan" != "yes"; then
|
if test "$enable_sanitizer" != "yes"; then
|
||||||
CHECK_NOEXEC=check_noexec
|
CHECK_NOEXEC=check_noexec
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
24
configure.ac
24
configure.ac
@@ -1522,8 +1522,12 @@ AC_ARG_ENABLE(hardening,
|
|||||||
AC_ARG_ENABLE(pie,
|
AC_ARG_ENABLE(pie,
|
||||||
[AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])])
|
[AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])])
|
||||||
|
|
||||||
AC_ARG_ENABLE(asan,
|
AC_ARG_ENABLE(sanitizer,
|
||||||
[AS_HELP_STRING([--enable-asan], [Build sudo with address sanitizer support.])])
|
[AS_HELP_STRING([--enable-sanitizer], [Build sudo with sanitizer support.])], [
|
||||||
|
if test X"$enable_sanitizer" = X"yes"; then
|
||||||
|
enable_sanitizer="-fsanitize=address,undefined"
|
||||||
|
fi
|
||||||
|
], [enable_sanitizer=no])
|
||||||
|
|
||||||
AC_ARG_ENABLE(leaks,
|
AC_ARG_ENABLE(leaks,
|
||||||
[AS_HELP_STRING([--disable-leaks], [Prevent some harmless memory leaks.])],
|
[AS_HELP_STRING([--disable-leaks], [Prevent some harmless memory leaks.])],
|
||||||
@@ -4544,14 +4548,14 @@ EOF
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
dnl
|
dnl
|
||||||
dnl Check for -fsanitize=address,undefined support
|
dnl Check for -fsanitize support
|
||||||
dnl This test relies on AC_LANG_WERROR
|
dnl This test relies on AC_LANG_WERROR
|
||||||
dnl
|
dnl
|
||||||
if test "$enable_asan" = "yes"; then
|
if test "$enable_sanitizer" != "no"; then
|
||||||
AX_CHECK_COMPILE_FLAG([-fsanitize=address -fsanitize=undefined], [
|
AX_CHECK_COMPILE_FLAG([$enable_sanitizer], [
|
||||||
AX_CHECK_LINK_FLAG([-fsanitize=address -fsanitize=undefined], [
|
AX_CHECK_LINK_FLAG([$enable_sanitizer], [
|
||||||
ASAN_LDFLAGS="-Wc,-fsanitize=address -Wc,-fsanitize=undefined"
|
ASAN_LDFLAGS="$enable_sanitizer"
|
||||||
ASAN_CFLAGS="-fsanitize=address -fsanitize=undefined"
|
ASAN_CFLAGS="$enable_sanitizer"
|
||||||
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
|
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
|
||||||
CFLAGS="$CFLAGS -fno-omit-frame-pointer"
|
CFLAGS="$CFLAGS -fno-omit-frame-pointer"
|
||||||
])
|
])
|
||||||
@@ -4806,8 +4810,8 @@ if test X"$with_noexec" != X"no"; then
|
|||||||
PROGS="${PROGS} sudo_noexec.la"
|
PROGS="${PROGS} sudo_noexec.la"
|
||||||
INSTALL_NOEXEC="install-noexec"
|
INSTALL_NOEXEC="install-noexec"
|
||||||
|
|
||||||
# Can't use asan with LD_PRELOAD
|
# Can't use sanitizers with LD_PRELOAD
|
||||||
if test "$enable_asan" != "yes"; then
|
if test "$enable_sanitizer" != "yes"; then
|
||||||
CHECK_NOEXEC=check_noexec
|
CHECK_NOEXEC=check_noexec
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user