toolchain: Allow building with ASAN and UBSAN

This allows to build all user space with Address sanitizer and undefined
behavior sanitizer. It will automatically add this to the TRAGET_CFLAGS
and TARGET_LDFLAGS of every user space component.

This is only working with gcc 10.X, because the system init process will
mount /proc after it was started and ASAN needs it already earlier and
fails in the versions provided by older compilers.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/config/Config-build.in b/config/Config-build.in
index 0aaf6b31c38bd554d21305c0c397b92f22153fe7..7ecef388322e120d5c0498d46f3499f4066602b4 100644 (file)
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -388,4 +388,26 @@ menu "Global build settings"
 
        endchoice
 
+       config PKG_SANITIZER_ADDRESS
+               bool "Enable Address Sanitizer"
+               depends on USE_GLIBC
+               select PACKAGE_libasan
+               select USE_SANITIZER_ADDRESS
+               help
+                 This will build all user space applications with the Address Sanitizer enabled
+
+       config PKG_SANITIZER_UNDEFINED_BEHAVIOR
+               bool "Enable undefined behavior Sanitizer"
+               depends on USE_GLIBC
+               select PACKAGE_libubsan
+               select USE_SANITIZER_UNDEFINED_BEHAVIOR
+               help
+                 This will build all user space applications with the undefined behavior Sanitizer enabled
+
+       config USE_SANITIZER_ADDRESS
+               bool
+
+       config USE_SANITIZER_UNDEFINED_BEHAVIOR
+               bool
+
 endmenu

diff --git a/include/hardening.mk b/include/hardening.mk
index 4e49e6b1b904f1646d82dc4c95cdb11760ddedcb..be2271bd89835df033237231bcd61f6d8a346206 100644 (file)
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -11,6 +11,8 @@ PKG_ASLR_PIE_REGULAR ?= 0
 PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
+PKG_SANITIZER_ADDRESS ?= 1
+PKG_SANITIZER_UNDEFINED_BEHAVIOR ?= 1
 
 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
@@ -61,4 +63,16 @@ ifdef CONFIG_PKG_RELRO_FULL
     TARGET_LDFLAGS += -znow -zrelro
   endif
 endif
+ifdef CONFIG_PKG_SANITIZER_ADDRESS
+  ifeq ($(strip $(PKG_SANITIZER_ADDRESS)),1)
+    TARGET_CFLAGS += -fsanitize=address
+    TARGET_LDFLAGS += -fsanitize=address
+  endif
+endif
+ifdef CONFIG_PKG_SANITIZER_UNDEFINED_BEHAVIOR
+  ifeq ($(strip $(PKG_SANITIZER_UNDEFINED_BEHAVIOR)),1)
+    TARGET_CFLAGS += -fsanitize=undefined
+    TARGET_LDFLAGS += -fsanitize=undefined
+  endif
+endif
 

diff --git a/include/package-defaults.mk b/include/package-defaults.mk
index 2a04bc17e904a133d52e1e1c5366292bef14961a..1e261db4eb0f500a55cd367e571bb4e4559d4348 100644 (file)
--- a/include/package-defaults.mk
+++ b/include/package-defaults.mk
@@ -5,7 +5,7 @@
 # See /LICENSE for more information.
 #
 
-PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread
+PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +USE_SANITIZER_ADDRESS:libasan +USE_SANITIZER_UNDEFINED_BEHAVIOR:libubsan
 
 ifneq ($(PKG_NAME),toolchain)
   PKG_FIXUP_DEPENDS = $(if $(filter kmod-%,$(1)),$(2),$(PKG_DEFAULT_DEPENDS) $(filter-out $(PKG_DEFAULT_DEPENDS),$(2)))

diff --git a/include/toolchain-build.mk b/include/toolchain-build.mk
index 35d8c9380ec190e45b48319b9fe75d15ca8c33f7..92f618a28d4e70cabdb106eff1fb1cf4de17ad88 100644 (file)
--- a/include/toolchain-build.mk
+++ b/include/toolchain-build.mk
@@ -10,6 +10,8 @@ override CONFIG_AUTOREMOVE=
 
 HOST_BUILD_PREFIX:=$(TOOLCHAIN_DIR)
 BUILD_DIR_HOST:=$(BUILD_DIR_TOOLCHAIN)
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/hardening.mk

diff --git a/package/boot/grub2/Makefile b/package/boot/grub2/Makefile
index 46e3597cc242d4056f14466485251e3347f0f065..59a3e7ee589056a7cc8f2a21873a1c50de0cd5a6 100644 (file)
--- a/package/boot/grub2/Makefile
+++ b/package/boot/grub2/Makefile
@@ -22,6 +22,8 @@ PKG_BUILD_DEPENDS:=grub2/host
 
 PKG_ASLR_PIE:=0
 PKG_SSP:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 PKG_FLAGS:=nonshared
 

diff --git a/package/libs/toolchain/Makefile b/package/libs/toolchain/Makefile
index 52a4cda19f6a3affe5dfb170a1ce4c3d1b719947..4f97df65a8c4259ff853835da1ff0ae0cd567db4 100644 (file)
--- a/package/libs/toolchain/Makefile
+++ b/package/libs/toolchain/Makefile
@@ -13,6 +13,8 @@ PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-3.0-with-GCC-exception
 
 PKG_FLAGS:=hold essential nonshared
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 include $(INCLUDE_DIR)/package.mk
 

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8bbb26f829be7c730f5709f826d3ab5eb8318617..171860e67a16d6c8f4cc77251be1d77f65fc6d55 100644 (file)
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -23,6 +23,8 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
 
 PKG_BUILD_PARALLEL:=1
 PKG_ASLR_PIE_REGULAR:=1
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 PKG_USE_MIPS16:=0
 PKG_FIXUP:=autoreconf
 PKG_FLAGS:=nonshared

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index e62cef0713790bd2db090dc0f0a256e268bf393d..8a9d1a166260f7e26d9b2262078f37327da498ce 100644 (file)
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -20,6 +20,8 @@ PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998
 PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
 PKG_CHECK_FORMAT_SECURITY:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
 
 #Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
 PKG_ASLR_PIE:=0