From 3d0b0f061e3c5798d34373296b0c6dd06b86631f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 27 Jan 2016 15:37:25 -0700 Subject: [PATCH] Add --enable-asan configure flag to enable address sanitizer --- config.h.in | 3 ++ configure | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 21 +++++++++ 3 files changed, 150 insertions(+) diff --git a/config.h.in b/config.h.in index 1da2c63d1..3d11c0187 100644 --- a/config.h.in +++ b/config.h.in @@ -923,6 +923,9 @@ /* Define to 1 if you don't want sudo to prompt for a password by default. */ #undef NO_AUTHENTICATION +/* Define to 1 if you want sudo to free up memory before exiting. */ +#undef NO_LEAKS + /* Define to 1 if you don't want users to get the lecture the first they user sudo. */ #undef NO_LECTURE diff --git a/configure b/configure index eb7eb6193..f0128d173 100755 --- a/configure +++ b/configure @@ -943,6 +943,7 @@ enable_warnings enable_werror enable_hardening enable_pie +enable_asan enable_poll enable_admin_flag enable_nls @@ -1617,6 +1618,7 @@ Optional Features: --disable-hardening Do not use compiler/linker exploit mitigation options --enable-pie Build sudo as a position independent executable. + --enable-asan Build sudo with address sanitizer support. --disable-poll Use select() instead of poll(). --enable-admin-flag Whether to create a Ubuntu-style admin flag file --disable-nls Disable natural language support using gettext @@ -6112,6 +6114,12 @@ if test "${enable_pie+set}" = set; then : fi +# Check whether --enable-asan was given. +if test "${enable_asan+set}" = set; then : + enableval=$enable_asan; +fi + + # Check whether --enable-poll was given. if test "${enable_poll+set}" = set; then : enableval=$enable_poll; @@ -23718,6 +23726,123 @@ $as_echo "$sudo_cv_var_hpux_ld_symbol_export" >&6; } fi fi +if test "$enable_asan" = "yes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=address,undefined" >&5 +$as_echo_n "checking whether C compiler accepts -fsanitize=address,undefined... " >&6; } +if ${ax_cv_check_cflags___fsanitize_address_undefined+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fsanitize=address,undefined" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fsanitize_address_undefined=yes +else + ax_cv_check_cflags___fsanitize_address_undefined=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fsanitize_address_undefined" >&5 +$as_echo "$ax_cv_check_cflags___fsanitize_address_undefined" >&6; } +if test x"$ax_cv_check_cflags___fsanitize_address_undefined" = xyes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fsanitize=address,undefined" >&5 +$as_echo_n "checking whether the linker accepts -fsanitize=address,undefined... " >&6; } +if ${ax_cv_check_ldflags___fsanitize_address_undefined+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fsanitize=address,undefined" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___fsanitize_address_undefined=yes +else + ax_cv_check_ldflags___fsanitize_address_undefined=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fsanitize_address_undefined" >&5 +$as_echo "$ax_cv_check_ldflags___fsanitize_address_undefined" >&6; } +if test x"$ax_cv_check_ldflags___fsanitize_address_undefined" = xyes; then : + + LDFLAGS="$LDFLAGS -fsanitize=address,undefined" + CFLAGS="$CFLAGS -fsanitize=address,undefined" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5 +$as_echo_n "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; } +if ${ax_cv_check_cflags___fno_omit_frame_pointer+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fno-omit-frame-pointer" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fno_omit_frame_pointer=yes +else + ax_cv_check_cflags___fno_omit_frame_pointer=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_omit_frame_pointer" >&5 +$as_echo "$ax_cv_check_cflags___fno_omit_frame_pointer" >&6; } +if test x"$ax_cv_check_cflags___fno_omit_frame_pointer" = xyes; then : + + CFLAGS="$CFLAGS -fno-omit-frame-pointer" + +else + : +fi + + $as_echo "#define NO_LEAKS 1" >>confdefs.h + + +else + : +fi + + +else + : +fi + +fi + if test -n "$GCC"; then if test -z "$enable_pie"; then case "$host_os" in @@ -26462,5 +26587,6 @@ fi + diff --git a/configure.ac b/configure.ac index ea4ae44fe..40d61824c 100644 --- a/configure.ac +++ b/configure.ac @@ -1451,6 +1451,9 @@ AC_ARG_ENABLE(hardening, AC_ARG_ENABLE(pie, [AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])]) +AC_ARG_ENABLE(asan, +[AS_HELP_STRING([--enable-asan], [Build sudo with address sanitizer support.])]) + AC_ARG_ENABLE(poll, [AS_HELP_STRING([--disable-poll], [Use select() instead of poll().])]) @@ -3937,6 +3940,23 @@ EOF fi fi +dnl +dnl Check for -fsanitize=address,undefined support +dnl This test relies on AC_LANG_WERROR +dnl +if test "$enable_asan" = "yes"; then + AX_CHECK_COMPILE_FLAG([-fsanitize=address,undefined], [ + AX_CHECK_LINK_FLAG([-fsanitize=address,undefined], [ + LDFLAGS="$LDFLAGS -fsanitize=address,undefined" + CFLAGS="$CFLAGS -fsanitize=address,undefined" + AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [ + CFLAGS="$CFLAGS -fno-omit-frame-pointer" + ]) + AC_DEFINE(NO_LEAKS) + ]) + ]) +fi + dnl dnl Check for PIE executable support if using gcc. dnl This test relies on AC_LANG_WERROR @@ -4294,6 +4314,7 @@ AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PA AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.]) AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.]) AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.]) +AH_TEMPLATE(NO_LEAKS, [Define to 1 if you want sudo to free up memory before exiting.]) AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.]) AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support.]) AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.]) -- 2.40.0