Add --enable-asan configure flag to enable address sanitizer

config.h.in

@@ -923,6 +923,9 @@
 /* Define to 1 if you don't want sudo to prompt for a password by default. */
 #undef NO_AUTHENTICATION
 
+/* Define to 1 if you want sudo to free up memory before exiting. */
+#undef NO_LEAKS
+
 /* Define to 1 if you don't want users to get the lecture the first they user
    sudo. */
 #undef NO_LECTURE

configure

@@ -943,6 +943,7 @@ enable_warnings
 enable_werror
 enable_hardening
 enable_pie
+enable_asan
 enable_poll
 enable_admin_flag
 enable_nls
@@ -1617,6 +1618,7 @@ Optional Features:
   --disable-hardening     Do not use compiler/linker exploit mitigation
                           options
   --enable-pie            Build sudo as a position independent executable.
+  --enable-asan           Build sudo with address sanitizer support.
   --disable-poll          Use select() instead of poll().
   --enable-admin-flag     Whether to create a Ubuntu-style admin flag file
   --disable-nls           Disable natural language support using gettext
@@ -6112,6 +6114,12 @@ if test "${enable_pie+set}" = set; then :
 fi
 
 
+# Check whether --enable-asan was given.
+if test "${enable_asan+set}" = set; then :
+  enableval=$enable_asan;
+fi
+
+
 # Check whether --enable-poll was given.
 if test "${enable_poll+set}" = set; then :
   enableval=$enable_poll;
@@ -23718,6 +23726,123 @@ $as_echo "$sudo_cv_var_hpux_ld_symbol_export" >&6; }
     fi
 fi
 
+if test "$enable_asan" = "yes"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=address,undefined" >&5
+$as_echo_n "checking whether C compiler accepts -fsanitize=address,undefined... " >&6; }
+if ${ax_cv_check_cflags___fsanitize_address_undefined+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fsanitize=address,undefined"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___fsanitize_address_undefined=yes
+else
+  ax_cv_check_cflags___fsanitize_address_undefined=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fsanitize_address_undefined" >&5
+$as_echo "$ax_cv_check_cflags___fsanitize_address_undefined" >&6; }
+if test x"$ax_cv_check_cflags___fsanitize_address_undefined" = xyes; then :
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fsanitize=address,undefined" >&5
+$as_echo_n "checking whether the linker accepts -fsanitize=address,undefined... " >&6; }
+if ${ax_cv_check_ldflags___fsanitize_address_undefined+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS  -fsanitize=address,undefined"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_ldflags___fsanitize_address_undefined=yes
+else
+  ax_cv_check_ldflags___fsanitize_address_undefined=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fsanitize_address_undefined" >&5
+$as_echo "$ax_cv_check_ldflags___fsanitize_address_undefined" >&6; }
+if test x"$ax_cv_check_ldflags___fsanitize_address_undefined" = xyes; then :
+
+	    LDFLAGS="$LDFLAGS -fsanitize=address,undefined"
+	    CFLAGS="$CFLAGS -fsanitize=address,undefined"
+	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5
+$as_echo_n "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; }
+if ${ax_cv_check_cflags___fno_omit_frame_pointer+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fno-omit-frame-pointer"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___fno_omit_frame_pointer=yes
+else
+  ax_cv_check_cflags___fno_omit_frame_pointer=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_omit_frame_pointer" >&5
+$as_echo "$ax_cv_check_cflags___fno_omit_frame_pointer" >&6; }
+if test x"$ax_cv_check_cflags___fno_omit_frame_pointer" = xyes; then :
+
+		CFLAGS="$CFLAGS -fno-omit-frame-pointer"
+
+else
+  :
+fi
+
+	    $as_echo "#define NO_LEAKS 1" >>confdefs.h
+
+
+else
+  :
+fi
+
+
+else
+  :
+fi
+
+fi
+
 if test -n "$GCC"; then
     if test -z "$enable_pie"; then
 	case "$host_os" in
@@ -26462,5 +26587,6 @@ fi
 
 
 
+
 
 

configure.ac

@@ -1451,6 +1451,9 @@ AC_ARG_ENABLE(hardening,
 AC_ARG_ENABLE(pie,
 [AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])])
 
+AC_ARG_ENABLE(asan,
+[AS_HELP_STRING([--enable-asan], [Build sudo with address sanitizer support.])])
+
 AC_ARG_ENABLE(poll,
 [AS_HELP_STRING([--disable-poll], [Use select() instead of poll().])])
 
@@ -3937,6 +3940,23 @@ EOF
     fi
 fi
 
+dnl
+dnl Check for -fsanitize=address,undefined support
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test "$enable_asan" = "yes"; then
+    AX_CHECK_COMPILE_FLAG([-fsanitize=address,undefined], [
+	AX_CHECK_LINK_FLAG([-fsanitize=address,undefined], [
+	    LDFLAGS="$LDFLAGS -fsanitize=address,undefined"
+	    CFLAGS="$CFLAGS -fsanitize=address,undefined"
+	    AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
+		CFLAGS="$CFLAGS -fno-omit-frame-pointer"
+	    ])
+	    AC_DEFINE(NO_LEAKS)
+	])
+    ])
+fi
+
 dnl
 dnl Check for PIE executable support if using gcc.
 dnl This test relies on AC_LANG_WERROR
@@ -4294,6 +4314,7 @@ AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PA
 AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.])
 AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.])
 AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.])
+AH_TEMPLATE(NO_LEAKS, [Define to 1 if you want sudo to free up memory before exiting.])
 AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.])
 AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM session support.])
 AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.])