From 4220e6631b3e780d3e8b8237b48d5c529164f0e1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 5 Dec 2022 12:33:44 -0700 Subject: [PATCH] Move address sanitizer and fuzzer checks to m4/sanitizer.m4 --- MANIFEST | 1 + aclocal.m4 | 1 + configure | 727 ++++++++++++++++++++++++------------------------ configure.ac | 63 +---- m4/sanitizer.m4 | 63 +++++ 5 files changed, 432 insertions(+), 423 deletions(-) create mode 100644 m4/sanitizer.m4 diff --git a/MANIFEST b/MANIFEST index fb23cca2e..da6da8324 100644 --- a/MANIFEST +++ b/MANIFEST @@ -433,6 +433,7 @@ m4/ltversion.m4 m4/lt~obsolete.m4 m4/python.m4 m4/runlog.m4 +m4/sanitizer.m4 m4/sudo.m4 m4/visibility.m4 pathnames.h.in diff --git a/aclocal.m4 b/aclocal.m4 index 93d20ede7..db6648baa 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -26,5 +26,6 @@ m4_include([m4/ltversion.m4]) m4_include([m4/lt~obsolete.m4]) m4_include([m4/python.m4]) m4_include([m4/runlog.m4]) +m4_include([m4/sanitizer.m4]) m4_include([m4/sudo.m4]) m4_include([m4/visibility.m4]) diff --git a/configure b/configure index 32698a871..d41c5c02c 100755 --- a/configure +++ b/configure @@ -31602,6 +31602,327 @@ fi ;; esac +if test -n "$GCC"; then + if test -z "$enable_pie"; then + case "$host_os" in + linux*) + # Attempt to build with PIE support + enable_pie="maybe" + ;; + esac + fi + if test -n "$enable_pie"; then + if test "$enable_pie" = "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 +printf %s "checking whether C compiler accepts -fno-pie... " >&6; } +if test ${ax_cv_check_cflags___fno_pie+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fno-pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___fno_pie=yes +else case e in #( + e) ax_cv_check_cflags___fno_pie=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_pie" >&5 +printf "%s\n" "$ax_cv_check_cflags___fno_pie" >&6; } +if test "x$ax_cv_check_cflags___fno_pie" = xyes +then : + + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-pie" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 +printf %s "checking whether the linker accepts -nopie... " >&6; } +if test ${ax_cv_check_ldflags___nopie+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -nopie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___nopie=yes +else case e in #( + e) ax_cv_check_ldflags___nopie=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___nopie" >&5 +printf "%s\n" "$ax_cv_check_ldflags___nopie" >&6; } +if test x"$ax_cv_check_ldflags___nopie" = xyes +then : + + PIE_CFLAGS="-fno-pie" + PIE_LDFLAGS="-nopie" + +else case e in #( + e) : ;; +esac +fi + + CFLAGS="$_CFLAGS" + +else case e in #( + e) : ;; +esac +fi + + else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 +printf %s "checking whether C compiler accepts -fPIE... " >&6; } +if test ${ax_cv_check_cflags___fPIE+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___fPIE=yes +else case e in #( + e) ax_cv_check_cflags___fPIE=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5 +printf "%s\n" "$ax_cv_check_cflags___fPIE" >&6; } +if test "x$ax_cv_check_cflags___fPIE" = xyes +then : + + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 +printf %s "checking whether the linker accepts -pie... " >&6; } +if test ${ax_cv_check_ldflags___pie+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___pie=yes +else case e in #( + e) ax_cv_check_ldflags___pie=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5 +printf "%s\n" "$ax_cv_check_ldflags___pie" >&6; } +if test x"$ax_cv_check_ldflags___pie" = xyes +then : + + if test "$enable_pie" = "maybe"; then + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5 +printf %s "checking for working PIE support... " >&6; } +if test ${sudo_cv_working_pie+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + if test "$cross_compiling" = yes +then : + sudo_cv_working_pie=no +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +int main() { char *p = malloc(1024); if (p == NULL) return 1; memset(p, 0, 1024); return 0; } +_ACEOF +if ac_fn_c_try_run "$LINENO" +then : + sudo_cv_working_pie=yes +else case e in #( + e) sudo_cv_working_pie=no ;; +esac +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext ;; +esac +fi + + ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5 +printf "%s\n" "$sudo_cv_working_pie" >&6; } + if test $sudo_cv_working_pie = yes +then : + enable_pie=yes +fi + + fi + if test "$enable_pie" = "yes"; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-Wc,-fPIE -pie" + fi + +else case e in #( + e) : ;; +esac +fi + + CFLAGS="$_CFLAGS" + +else case e in #( + e) : ;; +esac +fi + + fi + fi +fi +if test "$enable_pie" != "yes"; then + # Solaris 11.1 and higher supports tagging binaries to use ASLR + case "$host_os" in + solaris2.1[1-9]|solaris2.[2-9][0-9]) + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5 +printf %s "checking whether the linker accepts -Wl,-z,aslr... " >&6; } +if test ${ax_cv_check_ldflags___Wl__z_aslr+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,aslr" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___Wl__z_aslr=yes +else case e in #( + e) ax_cv_check_ldflags___Wl__z_aslr=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_aslr" >&5 +printf "%s\n" "$ax_cv_check_ldflags___Wl__z_aslr" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes +then : + +if test ${PIE_LDFLAGS+y} +then : + + case " $PIE_LDFLAGS " in #( + *" -Wl,-z,aslr "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS already contains -Wl,-z,aslr"; } >&5 + (: PIE_LDFLAGS already contains -Wl,-z,aslr) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append PIE_LDFLAGS " -Wl,-z,aslr" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5 + (: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else case e in #( + e) + PIE_LDFLAGS=-Wl,-z,aslr + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5 + (: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac +fi + +else case e in #( + e) : ;; +esac +fi + + ;; + esac +fi + if test -n "$GCC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fvisibility=hidden" >&5 @@ -32042,7 +32363,8 @@ printf "%s\n" "$sudo_cv_var_hpux_ld_symbol_export" >&6; } fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--allow-multiple-definition" >&5 + if test X"${enable_sanitizer}{enable_fuzzer}" != X"nono"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--allow-multiple-definition" >&5 printf %s "checking whether the linker accepts -Wl,--allow-multiple-definition... " >&6; } if test ${ax_cv_check_ldflags___Wl___allow_multiple_definition+y} then : @@ -32079,21 +32401,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl___allow_multiple_definition" >&6; } if test x"$ax_cv_check_ldflags___Wl___allow_multiple_definition" = xyes then : -if test ${LDFLAGS+y} +if test ${ASAN_LDFLAGS+y} then : - case " $LDFLAGS " in #( + case " $ASAN_LDFLAGS " in #( *" -Wl,--allow-multiple-definition "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,--allow-multiple-definition"; } >&5 - (: LDFLAGS already contains -Wl,--allow-multiple-definition) 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS already contains -Wl,--allow-multiple-definition"; } >&5 + (: ASAN_LDFLAGS already contains -Wl,--allow-multiple-definition) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } ;; #( *) : - as_fn_append LDFLAGS " -Wl,--allow-multiple-definition" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + as_fn_append ASAN_LDFLAGS " -Wl,--allow-multiple-definition" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS=\"\$ASAN_LDFLAGS\""; } >&5 + (: ASAN_LDFLAGS="$ASAN_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -32102,9 +32424,9 @@ esac else case e in #( e) - LDFLAGS=-Wl,--allow-multiple-definition - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + ASAN_LDFLAGS=-Wl,--allow-multiple-definition + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS=\"\$ASAN_LDFLAGS\""; } >&5 + (: ASAN_LDFLAGS="$ASAN_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -32117,9 +32439,10 @@ else case e in #( esac fi + fi -if test "$enable_sanitizer" != "no"; then - as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags__$enable_sanitizer" | sed "$as_sed_sh"` + if test X"$enable_sanitizer" != X"no"; then + as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags__$enable_sanitizer" | sed "$as_sed_sh"` { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $enable_sanitizer" >&5 printf %s "checking whether C compiler accepts $enable_sanitizer... " >&6; } if eval test \${$as_CACHEVAR+y} @@ -32259,7 +32582,7 @@ else case e in #( esac fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5 printf %s "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; } if test ${ax_cv_check_cflags___fno_omit_frame_pointer+y} then : @@ -32335,32 +32658,33 @@ else case e in #( esac fi - printf "%s\n" "#define NO_LEAKS 1" >>confdefs.h + printf "%s\n" "#define NO_LEAKS 1" >>confdefs.h - case `$CC --version 2>&1` in - *gcc*) - libasan=`$CC -print-file-name=libasan.so 2>/dev/null` - if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then - # libasan.so may be a linker script - libasan="`awk 'BEGIN {lib=ARGV[1]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`" - cat >>confdefs.h <&1` in + *gcc*) + libasan=`$CC -print-file-name=libasan.so 2>/dev/null` + if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then + # libasan.so may be a linker script + libasan="`awk 'BEGIN {lib=ARGV[1]} /^INPUT/ {lib=} END {print lib}' \"$libasan\"`" + cat >>confdefs.h <&5 + fi + + if test X"$enable_fuzzer" = X"yes"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=fuzzer-no-link" >&5 printf %s "checking whether C compiler accepts -fsanitize=fuzzer-no-link... " >&6; } if test ${ax_cv_check_cflags___fsanitize_fuzzer_no_link+y} then : @@ -32498,10 +32822,10 @@ else case e in #( esac fi - if test -z "$FUZZ_ENGINE"; then - FUZZ_ENGINE="-fsanitize=fuzzer" - fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5 + if test -z "$FUZZ_ENGINE"; then + FUZZ_ENGINE="-fsanitize=fuzzer" + fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-omit-frame-pointer" >&5 printf %s "checking whether C compiler accepts -fno-omit-frame-pointer... " >&6; } if test ${ax_cv_check_cflags___fno_omit_frame_pointer+y} then : @@ -32577,7 +32901,7 @@ else case e in #( esac fi - # Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior + # Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior if test ${CFLAGS+y} then : @@ -32612,341 +32936,20 @@ else case e in #( esac fi - printf "%s\n" "#define NO_LEAKS 1" >>confdefs.h + printf "%s\n" "#define NO_LEAKS 1" >>confdefs.h else case e in #( e) - as_fn_error $? "$CC does not support the -fsanitize=fuzzer-no-link flag" "$LINENO" 5 - ;; + as_fn_error $? "$CC does not support the -fsanitize=fuzzer-no-link flag" "$LINENO" 5 + ;; esac fi -else - # Not using compiler fuzzing support, link with stub library. - FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la' -fi - -if test -n "$GCC"; then - if test -z "$enable_pie"; then - case "$host_os" in - linux*) - # Attempt to build with PIE support - enable_pie="maybe" - ;; - esac + else + # Not using compiler fuzzing support, link with stub library. + FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la' fi - if test -n "$enable_pie"; then - if test "$enable_pie" = "no"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 -printf %s "checking whether C compiler accepts -fno-pie... " >&6; } -if test ${ax_cv_check_cflags___fno_pie+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fno-pie" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ax_cv_check_cflags___fno_pie=yes -else case e in #( - e) ax_cv_check_cflags___fno_pie=no ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS=$ax_check_save_flags ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_pie" >&5 -printf "%s\n" "$ax_cv_check_cflags___fno_pie" >&6; } -if test "x$ax_cv_check_cflags___fno_pie" = xyes -then : - - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-pie" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 -printf %s "checking whether the linker accepts -nopie... " >&6; } -if test ${ax_cv_check_ldflags___nopie+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -nopie" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - ax_cv_check_ldflags___nopie=yes -else case e in #( - e) ax_cv_check_ldflags___nopie=no ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___nopie" >&5 -printf "%s\n" "$ax_cv_check_ldflags___nopie" >&6; } -if test x"$ax_cv_check_ldflags___nopie" = xyes -then : - - PIE_CFLAGS="-fno-pie" - PIE_LDFLAGS="-nopie" - -else case e in #( - e) : ;; -esac -fi - - CFLAGS="$_CFLAGS" - -else case e in #( - e) : ;; -esac -fi - - else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 -printf %s "checking whether C compiler accepts -fPIE... " >&6; } -if test ${ax_cv_check_cflags___fPIE+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fPIE" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ax_cv_check_cflags___fPIE=yes -else case e in #( - e) ax_cv_check_cflags___fPIE=no ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS=$ax_check_save_flags ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5 -printf "%s\n" "$ax_cv_check_cflags___fPIE" >&6; } -if test "x$ax_cv_check_cflags___fPIE" = xyes -then : - - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fPIE" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 -printf %s "checking whether the linker accepts -pie... " >&6; } -if test ${ax_cv_check_ldflags___pie+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -pie" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - ax_cv_check_ldflags___pie=yes -else case e in #( - e) ax_cv_check_ldflags___pie=no ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5 -printf "%s\n" "$ax_cv_check_ldflags___pie" >&6; } -if test x"$ax_cv_check_ldflags___pie" = xyes -then : - - if test "$enable_pie" = "maybe"; then - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5 -printf %s "checking for working PIE support... " >&6; } -if test ${sudo_cv_working_pie+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - if test "$cross_compiling" = yes -then : - sudo_cv_working_pie=no -else case e in #( - e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_includes_default -int main() { char *p = malloc(1024); if (p == NULL) return 1; memset(p, 0, 1024); return 0; } -_ACEOF -if ac_fn_c_try_run "$LINENO" -then : - sudo_cv_working_pie=yes -else case e in #( - e) sudo_cv_working_pie=no ;; -esac -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext ;; -esac -fi - - ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5 -printf "%s\n" "$sudo_cv_working_pie" >&6; } - if test $sudo_cv_working_pie = yes -then : - enable_pie=yes -fi - - fi - if test "$enable_pie" = "yes"; then - PIE_CFLAGS="-fPIE" - PIE_LDFLAGS="-Wc,-fPIE -pie" - fi - -else case e in #( - e) : ;; -esac -fi - - CFLAGS="$_CFLAGS" - -else case e in #( - e) : ;; -esac -fi - - fi - fi -fi -if test "$enable_pie" != "yes"; then - # Solaris 11.1 and higher supports tagging binaries to use ASLR - case "$host_os" in - solaris2.1[1-9]|solaris2.[2-9][0-9]) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5 -printf %s "checking whether the linker accepts -Wl,-z,aslr... " >&6; } -if test ${ax_cv_check_ldflags___Wl__z_aslr+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -Wl,-z,aslr" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - ax_cv_check_ldflags___Wl__z_aslr=yes -else case e in #( - e) ax_cv_check_ldflags___Wl__z_aslr=no ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_aslr" >&5 -printf "%s\n" "$ax_cv_check_ldflags___Wl__z_aslr" >&6; } -if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes -then : - -if test ${PIE_LDFLAGS+y} -then : - - case " $PIE_LDFLAGS " in #( - *" -Wl,-z,aslr "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS already contains -Wl,-z,aslr"; } >&5 - (: PIE_LDFLAGS already contains -Wl,-z,aslr) 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } ;; #( - *) : - - as_fn_append PIE_LDFLAGS " -Wl,-z,aslr" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5 - (: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - ;; -esac - -else case e in #( - e) - PIE_LDFLAGS=-Wl,-z,aslr - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5 - (: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - ;; -esac -fi - -else case e in #( - e) : ;; -esac -fi - - ;; - esac -fi if test "$enable_hardening" != "no"; then diff --git a/configure.ac b/configure.ac index 27c15959d..abd52aab3 100644 --- a/configure.ac +++ b/configure.ac @@ -4568,67 +4568,6 @@ case "$OS" in ;; esac -SUDO_SYMBOL_VISIBILITY - -dnl -dnl For fuzz_policy we redefine getaddrinfo() and freeaddrinfo(), but -dnl this can cause problems with ld.lld when sanitizers are enabled. -dnl -AX_CHECK_LINK_FLAG([-Wl,--allow-multiple-definition], [AX_APPEND_FLAG([-Wl,--allow-multiple-definition], [LDFLAGS])]) - -dnl -dnl Check for -fsanitize support -dnl This test relies on AC_LANG_WERROR -dnl -if test "$enable_sanitizer" != "no"; then - AX_CHECK_COMPILE_FLAG([$enable_sanitizer], [ - AX_APPEND_FLAG([$enable_sanitizer], [ASAN_CFLAGS]) - AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS]) - AX_APPEND_FLAG([$enable_sanitizer], [ASAN_LDFLAGS]) - AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [ - AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS]) - ]) - AC_DEFINE(NO_LEAKS) - dnl - dnl check for libasan.so so we can preload it before sudo_intercept.so - dnl gcc links asan dynamically, clang links it statically. - dnl - case `$CC --version 2>&1` in - *gcc*) - libasan=`$CC -print-file-name=libasan.so 2>/dev/null` - if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then - # libasan.so may be a linker script - libasan="`awk 'BEGIN {lib=ARGV[[1]]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`" - SUDO_DEFINE_UNQUOTED(_PATH_ASAN_LIB, "$libasan", [Path to the libasan.so shared library]) - fi - ;; - esac - ], [ - AC_MSG_ERROR([$CC does not support the $enable_sanitizer flag]) - ]) -fi -if test "$enable_fuzzer" = "yes"; then - AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [ - AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_CFLAGS]) - AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS]) - AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_LDFLAGS]) - if test -z "$FUZZ_ENGINE"; then - FUZZ_ENGINE="-fsanitize=fuzzer" - fi - AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [ - AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS]) - ]) - # Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior - AX_APPEND_FLAG([-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], [CFLAGS]) - AC_DEFINE(NO_LEAKS) - ], [ - AC_MSG_ERROR([$CC does not support the -fsanitize=fuzzer-no-link flag]) - ]) -else - # Not using compiler fuzzing support, link with stub library. - FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la' -fi - dnl dnl Check for PIE executable support if using gcc. dnl This test relies on AC_LANG_WERROR @@ -4680,6 +4619,8 @@ if test "$enable_pie" != "yes"; then esac fi +SUDO_SYMBOL_VISIBILITY +SUDO_CHECK_SANITIZER SUDO_CHECK_HARDENING dnl diff --git a/m4/sanitizer.m4 b/m4/sanitizer.m4 new file mode 100644 index 000000000..f1a2e79eb --- /dev/null +++ b/m4/sanitizer.m4 @@ -0,0 +1,63 @@ +AC_DEFUN([SUDO_CHECK_SANITIZER], [ + if test X"${enable_sanitizer}{enable_fuzzer}" != X"nono"; then + dnl + dnl For fuzz_policy we redefine getaddrinfo() and freeaddrinfo(), but + dnl this can cause problems with ld.lld when sanitizers are enabled. + dnl + AX_CHECK_LINK_FLAG([-Wl,--allow-multiple-definition], [AX_APPEND_FLAG([-Wl,--allow-multiple-definition], [ASAN_LDFLAGS])]) + fi + + dnl + dnl Check for -fsanitize support + dnl This test relies on AC_LANG_WERROR + dnl + if test X"$enable_sanitizer" != X"no"; then + AX_CHECK_COMPILE_FLAG([$enable_sanitizer], [ + AX_APPEND_FLAG([$enable_sanitizer], [ASAN_CFLAGS]) + AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS]) + AX_APPEND_FLAG([$enable_sanitizer], [ASAN_LDFLAGS]) + AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [ + AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS]) + ]) + AC_DEFINE(NO_LEAKS) + dnl + dnl Check for libasan.so to preload it before sudo_intercept.so. + dnl gcc links asan dynamically, clang links it statically. + dnl + case `$CC --version 2>&1` in + *gcc*) + libasan=`$CC -print-file-name=libasan.so 2>/dev/null` + if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then + # libasan.so may be a linker script + libasan="`awk 'BEGIN {lib=ARGV[[1]]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`" + SUDO_DEFINE_UNQUOTED(_PATH_ASAN_LIB, "$libasan", [Path to the libasan.so shared library]) + fi + ;; + esac + ], [ + AC_MSG_ERROR([$CC does not support the $enable_sanitizer flag]) + ]) + fi + + if test X"$enable_fuzzer" = X"yes"; then + AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [ + AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_CFLAGS]) + AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS]) + AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_LDFLAGS]) + if test -z "$FUZZ_ENGINE"; then + FUZZ_ENGINE="-fsanitize=fuzzer" + fi + AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [ + AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS]) + ]) + # Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior + AX_APPEND_FLAG([-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], [CFLAGS]) + AC_DEFINE(NO_LEAKS) + ], [ + AC_MSG_ERROR([$CC does not support the -fsanitize=fuzzer-no-link flag]) + ]) + else + # Not using compiler fuzzing support, link with stub library. + FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la' + fi +])