mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-28 12:57:50 +00:00
Code Issues Releases Wiki Activity

Move address sanitizer and fuzzer checks to m4/sanitizer.m4

Browse Source
This commit is contained in:
Todd C. Miller 2022-12-05 12:33:44 -07:00
parent ea5668086c
commit 4220e6631b
5 changed files with 432 additions and 423 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MANIFEST
View File

@ -433,6 +433,7 @@ m4/ltversion.m4
m4/lt~obsolete.m4 m4/lt~obsolete.m4
m4/python.m4 m4/python.m4
m4/runlog.m4 m4/runlog.m4
m4/sanitizer.m4
m4/sudo.m4 m4/sudo.m4
m4/visibility.m4 m4/visibility.m4
pathnames.h.in pathnames.h.in

1
aclocal.m4 vendored
View File

@ -26,5 +26,6 @@ m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4]) m4_include([m4/lt~obsolete.m4])
m4_include([m4/python.m4]) m4_include([m4/python.m4])
m4_include([m4/runlog.m4]) m4_include([m4/runlog.m4])
m4_include([m4/sanitizer.m4])
m4_include([m4/sudo.m4]) m4_include([m4/sudo.m4])
m4_include([m4/visibility.m4]) m4_include([m4/visibility.m4])

677
configure vendored
View File

@ -31602,6 +31602,327 @@ fi
;; ;;
esac esac
if test -n "$GCC"; then
if test -z "$enable_pie"; then
case "$host_os" in
linux*)
# Attempt to build with PIE support
enable_pie="maybe"
;;
esac
fi
if test -n "$enable_pie"; then
if test "$enable_pie" = "no"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5
printf %s "checking whether C compiler accepts -fno-pie... " >&6; }
if test ${ax_cv_check_cflags___fno_pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___fno_pie=yes
else case e in #(
e) ax_cv_check_cflags___fno_pie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_pie" >&5
printf "%s\n" "$ax_cv_check_cflags___fno_pie" >&6; }
if test "x$ax_cv_check_cflags___fno_pie" = xyes
then :
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fno-pie"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5
printf %s "checking whether the linker accepts -nopie... " >&6; }
if test ${ax_cv_check_ldflags___nopie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -nopie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___nopie=yes
else case e in #(
e) ax_cv_check_ldflags___nopie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___nopie" >&5
printf "%s\n" "$ax_cv_check_ldflags___nopie" >&6; }
if test x"$ax_cv_check_ldflags___nopie" = xyes
then :
PIE_CFLAGS="-fno-pie"
PIE_LDFLAGS="-nopie"
else case e in #(
e) : ;;
esac
fi
CFLAGS="$_CFLAGS"
else case e in #(
e) : ;;
esac
fi
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
printf %s "checking whether C compiler accepts -fPIE... " >&6; }
if test ${ax_cv_check_cflags___fPIE+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fPIE"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___fPIE=yes
else case e in #(
e) ax_cv_check_cflags___fPIE=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
printf "%s\n" "$ax_cv_check_cflags___fPIE" >&6; }
if test "x$ax_cv_check_cflags___fPIE" = xyes
then :
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fPIE"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
printf %s "checking whether the linker accepts -pie... " >&6; }
if test ${ax_cv_check_ldflags___pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___pie=yes
else case e in #(
e) ax_cv_check_ldflags___pie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
printf "%s\n" "$ax_cv_check_ldflags___pie" >&6; }
if test x"$ax_cv_check_ldflags___pie" = xyes
then :
if test "$enable_pie" = "maybe"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5
printf %s "checking for working PIE support... " >&6; }
if test ${sudo_cv_working_pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
if test "$cross_compiling" = yes
then :
sudo_cv_working_pie=no
else case e in #(
e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int main() { char *p = malloc(1024); if (p == NULL) return 1; memset(p, 0, 1024); return 0; }
_ACEOF
if ac_fn_c_try_run "$LINENO"
then :
sudo_cv_working_pie=yes
else case e in #(
e) sudo_cv_working_pie=no ;;
esac
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext ;;
esac
fi
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5
printf "%s\n" "$sudo_cv_working_pie" >&6; }
if test $sudo_cv_working_pie = yes
then :
enable_pie=yes
fi
fi
if test "$enable_pie" = "yes"; then
PIE_CFLAGS="-fPIE"
PIE_LDFLAGS="-Wc,-fPIE -pie"
fi
else case e in #(
e) : ;;
esac
fi
CFLAGS="$_CFLAGS"
else case e in #(
e) : ;;
esac
fi
fi
fi
fi
if test "$enable_pie" != "yes"; then
# Solaris 11.1 and higher supports tagging binaries to use ASLR
case "$host_os" in
solaris2.1[1-9]|solaris2.[2-9][0-9])
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5
printf %s "checking whether the linker accepts -Wl,-z,aslr... " >&6; }
if test ${ax_cv_check_ldflags___Wl__z_aslr+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,aslr"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___Wl__z_aslr=yes
else case e in #(
e) ax_cv_check_ldflags___Wl__z_aslr=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_aslr" >&5
printf "%s\n" "$ax_cv_check_ldflags___Wl__z_aslr" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes
then :
if test ${PIE_LDFLAGS+y}
then :
case " $PIE_LDFLAGS " in #(
*" -Wl,-z,aslr "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS already contains -Wl,-z,aslr"; } >&5
(: PIE_LDFLAGS already contains -Wl,-z,aslr) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append PIE_LDFLAGS " -Wl,-z,aslr"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5
(: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
PIE_LDFLAGS=-Wl,-z,aslr
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5
(: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
else case e in #(
e) : ;;
esac
fi
;;
esac
fi
if test -n "$GCC"; then if test -n "$GCC"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fvisibility=hidden" >&5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fvisibility=hidden" >&5
@ -32042,7 +32363,8 @@ printf "%s\n" "$sudo_cv_var_hpux_ld_symbol_export" >&6; }
fi fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--allow-multiple-definition" >&5 if test X"${enable_sanitizer}{enable_fuzzer}" != X"nono"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--allow-multiple-definition" >&5
printf %s "checking whether the linker accepts -Wl,--allow-multiple-definition... " >&6; } printf %s "checking whether the linker accepts -Wl,--allow-multiple-definition... " >&6; }
if test ${ax_cv_check_ldflags___Wl___allow_multiple_definition+y} if test ${ax_cv_check_ldflags___Wl___allow_multiple_definition+y}
then : then :
@ -32079,21 +32401,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl___allow_multiple_definition" >&6; }
if test x"$ax_cv_check_ldflags___Wl___allow_multiple_definition" = xyes if test x"$ax_cv_check_ldflags___Wl___allow_multiple_definition" = xyes
then : then :
if test ${LDFLAGS+y} if test ${ASAN_LDFLAGS+y}
then : then :
case " $LDFLAGS " in #( case " $ASAN_LDFLAGS " in #(
*" -Wl,--allow-multiple-definition "*) : *" -Wl,--allow-multiple-definition "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,--allow-multiple-definition"; } >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS already contains -Wl,--allow-multiple-definition"; } >&5
(: LDFLAGS already contains -Wl,--allow-multiple-definition) 2>&5 (: ASAN_LDFLAGS already contains -Wl,--allow-multiple-definition) 2>&5
ac_status=$? ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #( test $ac_status = 0; } ;; #(
*) : *) :
as_fn_append LDFLAGS " -Wl,--allow-multiple-definition" as_fn_append ASAN_LDFLAGS " -Wl,--allow-multiple-definition"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS=\"\$ASAN_LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5 (: ASAN_LDFLAGS="$ASAN_LDFLAGS") 2>&5
ac_status=$? ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } test $ac_status = 0; }
@ -32102,9 +32424,9 @@ esac
else case e in #( else case e in #(
e) e)
LDFLAGS=-Wl,--allow-multiple-definition ASAN_LDFLAGS=-Wl,--allow-multiple-definition
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : ASAN_LDFLAGS=\"\$ASAN_LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5 (: ASAN_LDFLAGS="$ASAN_LDFLAGS") 2>&5
ac_status=$? ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } test $ac_status = 0; }
@ -32117,8 +32439,9 @@ else case e in #(
esac esac
fi fi
fi
if test "$enable_sanitizer" != "no"; then if test X"$enable_sanitizer" != X"no"; then
as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags__$enable_sanitizer" | sed "$as_sed_sh"` as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags__$enable_sanitizer" | sed "$as_sed_sh"`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $enable_sanitizer" >&5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $enable_sanitizer" >&5
printf %s "checking whether C compiler accepts $enable_sanitizer... " >&6; } printf %s "checking whether C compiler accepts $enable_sanitizer... " >&6; }
@ -32342,7 +32665,7 @@ fi
libasan=`$CC -print-file-name=libasan.so 2>/dev/null` libasan=`$CC -print-file-name=libasan.so 2>/dev/null`
if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then
# libasan.so may be a linker script # libasan.so may be a linker script
libasan="`awk 'BEGIN {lib=ARGV[1]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`" libasan="`awk 'BEGIN {lib=ARGV[1]} /^INPUT/ {lib=} END {print lib}' \"$libasan\"`"
cat >>confdefs.h <<EOF cat >>confdefs.h <<EOF
#define _PATH_ASAN_LIB "$libasan" #define _PATH_ASAN_LIB "$libasan"
EOF EOF
@ -32358,8 +32681,9 @@ else case e in #(
esac esac
fi fi
fi fi
if test "$enable_fuzzer" = "yes"; then
if test X"$enable_fuzzer" = X"yes"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=fuzzer-no-link" >&5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=fuzzer-no-link" >&5
printf %s "checking whether C compiler accepts -fsanitize=fuzzer-no-link... " >&6; } printf %s "checking whether C compiler accepts -fsanitize=fuzzer-no-link... " >&6; }
if test ${ax_cv_check_cflags___fsanitize_fuzzer_no_link+y} if test ${ax_cv_check_cflags___fsanitize_fuzzer_no_link+y}
@ -32622,331 +32946,10 @@ else case e in #(
esac esac
fi fi
else else
# Not using compiler fuzzing support, link with stub library. # Not using compiler fuzzing support, link with stub library.
FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la' FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la'
fi
if test -n "$GCC"; then
if test -z "$enable_pie"; then
case "$host_os" in
linux*)
# Attempt to build with PIE support
enable_pie="maybe"
;;
esac
fi fi
if test -n "$enable_pie"; then
if test "$enable_pie" = "no"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5
printf %s "checking whether C compiler accepts -fno-pie... " >&6; }
if test ${ax_cv_check_cflags___fno_pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___fno_pie=yes
else case e in #(
e) ax_cv_check_cflags___fno_pie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_pie" >&5
printf "%s\n" "$ax_cv_check_cflags___fno_pie" >&6; }
if test "x$ax_cv_check_cflags___fno_pie" = xyes
then :
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fno-pie"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5
printf %s "checking whether the linker accepts -nopie... " >&6; }
if test ${ax_cv_check_ldflags___nopie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -nopie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___nopie=yes
else case e in #(
e) ax_cv_check_ldflags___nopie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___nopie" >&5
printf "%s\n" "$ax_cv_check_ldflags___nopie" >&6; }
if test x"$ax_cv_check_ldflags___nopie" = xyes
then :
PIE_CFLAGS="-fno-pie"
PIE_LDFLAGS="-nopie"
else case e in #(
e) : ;;
esac
fi
CFLAGS="$_CFLAGS"
else case e in #(
e) : ;;
esac
fi
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
printf %s "checking whether C compiler accepts -fPIE... " >&6; }
if test ${ax_cv_check_cflags___fPIE+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fPIE"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___fPIE=yes
else case e in #(
e) ax_cv_check_cflags___fPIE=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
printf "%s\n" "$ax_cv_check_cflags___fPIE" >&6; }
if test "x$ax_cv_check_cflags___fPIE" = xyes
then :
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fPIE"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
printf %s "checking whether the linker accepts -pie... " >&6; }
if test ${ax_cv_check_ldflags___pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___pie=yes
else case e in #(
e) ax_cv_check_ldflags___pie=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
printf "%s\n" "$ax_cv_check_ldflags___pie" >&6; }
if test x"$ax_cv_check_ldflags___pie" = xyes
then :
if test "$enable_pie" = "maybe"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5
printf %s "checking for working PIE support... " >&6; }
if test ${sudo_cv_working_pie+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
if test "$cross_compiling" = yes
then :
sudo_cv_working_pie=no
else case e in #(
e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
$ac_includes_default
int main() { char *p = malloc(1024); if (p == NULL) return 1; memset(p, 0, 1024); return 0; }
_ACEOF
if ac_fn_c_try_run "$LINENO"
then :
sudo_cv_working_pie=yes
else case e in #(
e) sudo_cv_working_pie=no ;;
esac
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext ;;
esac
fi
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5
printf "%s\n" "$sudo_cv_working_pie" >&6; }
if test $sudo_cv_working_pie = yes
then :
enable_pie=yes
fi
fi
if test "$enable_pie" = "yes"; then
PIE_CFLAGS="-fPIE"
PIE_LDFLAGS="-Wc,-fPIE -pie"
fi
else case e in #(
e) : ;;
esac
fi
CFLAGS="$_CFLAGS"
else case e in #(
e) : ;;
esac
fi
fi
fi
fi
if test "$enable_pie" != "yes"; then
# Solaris 11.1 and higher supports tagging binaries to use ASLR
case "$host_os" in
solaris2.1[1-9]|solaris2.[2-9][0-9])
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5
printf %s "checking whether the linker accepts -Wl,-z,aslr... " >&6; }
if test ${ax_cv_check_ldflags___Wl__z_aslr+y}
then :
printf %s "(cached) " >&6
else case e in #(
e)
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,aslr"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
ax_cv_check_ldflags___Wl__z_aslr=yes
else case e in #(
e) ax_cv_check_ldflags___Wl__z_aslr=no ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags ;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_aslr" >&5
printf "%s\n" "$ax_cv_check_ldflags___Wl__z_aslr" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes
then :
if test ${PIE_LDFLAGS+y}
then :
case " $PIE_LDFLAGS " in #(
*" -Wl,-z,aslr "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS already contains -Wl,-z,aslr"; } >&5
(: PIE_LDFLAGS already contains -Wl,-z,aslr) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append PIE_LDFLAGS " -Wl,-z,aslr"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5
(: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
PIE_LDFLAGS=-Wl,-z,aslr
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : PIE_LDFLAGS=\"\$PIE_LDFLAGS\""; } >&5
(: PIE_LDFLAGS="$PIE_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
else case e in #(
e) : ;;
esac
fi
;;
esac
fi
if test "$enable_hardening" != "no"; then if test "$enable_hardening" != "no"; then

63
configure.ac
View File

@ -4568,67 +4568,6 @@ case "$OS" in
;; ;;
esac esac
SUDO_SYMBOL_VISIBILITY
dnl
dnl For fuzz_policy we redefine getaddrinfo() and freeaddrinfo(), but
dnl this can cause problems with ld.lld when sanitizers are enabled.
dnl
AX_CHECK_LINK_FLAG([-Wl,--allow-multiple-definition], [AX_APPEND_FLAG([-Wl,--allow-multiple-definition], [LDFLAGS])])
dnl
dnl Check for -fsanitize support
dnl This test relies on AC_LANG_WERROR
dnl
if test "$enable_sanitizer" != "no"; then
AX_CHECK_COMPILE_FLAG([$enable_sanitizer], [
AX_APPEND_FLAG([$enable_sanitizer], [ASAN_CFLAGS])
AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS])
AX_APPEND_FLAG([$enable_sanitizer], [ASAN_LDFLAGS])
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS])
])
AC_DEFINE(NO_LEAKS)
dnl
dnl check for libasan.so so we can preload it before sudo_intercept.so
dnl gcc links asan dynamically, clang links it statically.
dnl
case `$CC --version 2>&1` in
*gcc*)
libasan=`$CC -print-file-name=libasan.so 2>/dev/null`
if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then
# libasan.so may be a linker script
libasan="`awk 'BEGIN {lib=ARGV[[1]]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`"
SUDO_DEFINE_UNQUOTED(_PATH_ASAN_LIB, "$libasan", [Path to the libasan.so shared library])
fi
;;
esac
], [
AC_MSG_ERROR([$CC does not support the $enable_sanitizer flag])
])
fi
if test "$enable_fuzzer" = "yes"; then
AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [
AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_CFLAGS])
AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS])
AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_LDFLAGS])
if test -z "$FUZZ_ENGINE"; then
FUZZ_ENGINE="-fsanitize=fuzzer"
fi
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS])
])
# Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior
AX_APPEND_FLAG([-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], [CFLAGS])
AC_DEFINE(NO_LEAKS)
], [
AC_MSG_ERROR([$CC does not support the -fsanitize=fuzzer-no-link flag])
])
else
# Not using compiler fuzzing support, link with stub library.
FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la'
fi
dnl dnl
dnl Check for PIE executable support if using gcc. dnl Check for PIE executable support if using gcc.
dnl This test relies on AC_LANG_WERROR dnl This test relies on AC_LANG_WERROR
@ -4680,6 +4619,8 @@ if test "$enable_pie" != "yes"; then
esac esac
fi fi
SUDO_SYMBOL_VISIBILITY
SUDO_CHECK_SANITIZER
SUDO_CHECK_HARDENING SUDO_CHECK_HARDENING
dnl dnl

63
m4/sanitizer.m4 Normal file
View File

@ -0,0 +1,63 @@
AC_DEFUN([SUDO_CHECK_SANITIZER], [
if test X"${enable_sanitizer}{enable_fuzzer}" != X"nono"; then
dnl
dnl For fuzz_policy we redefine getaddrinfo() and freeaddrinfo(), but
dnl this can cause problems with ld.lld when sanitizers are enabled.
dnl
AX_CHECK_LINK_FLAG([-Wl,--allow-multiple-definition], [AX_APPEND_FLAG([-Wl,--allow-multiple-definition], [ASAN_LDFLAGS])])
fi
dnl
dnl Check for -fsanitize support
dnl This test relies on AC_LANG_WERROR
dnl
if test X"$enable_sanitizer" != X"no"; then
AX_CHECK_COMPILE_FLAG([$enable_sanitizer], [
AX_APPEND_FLAG([$enable_sanitizer], [ASAN_CFLAGS])
AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS])
AX_APPEND_FLAG([$enable_sanitizer], [ASAN_LDFLAGS])
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS])
])
AC_DEFINE(NO_LEAKS)
dnl
dnl Check for libasan.so to preload it before sudo_intercept.so.
dnl gcc links asan dynamically, clang links it statically.
dnl
case `$CC --version 2>&1` in
*gcc*)
libasan=`$CC -print-file-name=libasan.so 2>/dev/null`
if test -n "$libasan" -a X"$libasan" != X"libasan.so"; then
# libasan.so may be a linker script
libasan="`awk 'BEGIN {lib=ARGV[[1]]} /^INPUT/ {lib=$3} END {print lib}' \"$libasan\"`"
SUDO_DEFINE_UNQUOTED(_PATH_ASAN_LIB, "$libasan", [Path to the libasan.so shared library])
fi
;;
esac
], [
AC_MSG_ERROR([$CC does not support the $enable_sanitizer flag])
])
fi
if test X"$enable_fuzzer" = X"yes"; then
AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [
AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_CFLAGS])
AX_APPEND_FLAG([-XCClinker], [ASAN_LDFLAGS])
AX_APPEND_FLAG([-fsanitize=fuzzer-no-link], [ASAN_LDFLAGS])
if test -z "$FUZZ_ENGINE"; then
FUZZ_ENGINE="-fsanitize=fuzzer"
fi
AX_CHECK_COMPILE_FLAG([-fno-omit-frame-pointer], [
AX_APPEND_FLAG([-fno-omit-frame-pointer], [CFLAGS])
])
# Use CFLAGS, not CPPFLAGS to match oss-fuzz behavior
AX_APPEND_FLAG([-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], [CFLAGS])
AC_DEFINE(NO_LEAKS)
], [
AC_MSG_ERROR([$CC does not support the -fsanitize=fuzzer-no-link flag])
])
else
# Not using compiler fuzzing support, link with stub library.
FUZZ_ENGINE='$(top_builddir)/lib/fuzzstub/libsudo_fuzzstub.la'
fi
])