@@ -388,4 +388,26 @@ menu "Global build settings"
endchoice
+ config PKG_SANITIZER_ADDRESS
+ bool "Enable Address Sanitizer"
+ depends on USE_GLIBC
+ select PACKAGE_libasan
+ select USE_SANITIZER_ADDRESS
+ help
+ This will build all user space applications with the Address Sanitizer enabled
+
+ config PKG_SANITIZER_UNDEFINED_BEHAVIOR
+ bool "Enable undefined behavior Sanitizer"
+ depends on USE_GLIBC
+ select PACKAGE_libubsan
+ select USE_SANITIZER_UNDEFINED_BEHAVIOR
+ help
+ This will build all user space applications with the undefined behavior Sanitizer enabled
+
+ config USE_SANITIZER_ADDRESS
+ bool
+
+ config USE_SANITIZER_UNDEFINED_BEHAVIOR
+ bool
+
endmenu
@@ -11,6 +11,8 @@ PKG_ASLR_PIE_REGULAR ?= 0
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
+PKG_SANITIZER_ADDRESS ?= 1
+PKG_SANITIZER_UNDEFINED_BEHAVIOR ?= 1
ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
@@ -61,4 +63,16 @@ ifdef CONFIG_PKG_RELRO_FULL
TARGET_LDFLAGS += -znow -zrelro
endif
endif
+ifdef CONFIG_PKG_SANITIZER_ADDRESS
+ ifeq ($(strip $(PKG_SANITIZER_ADDRESS)),1)
+ TARGET_CFLAGS += -fsanitize=address
+ TARGET_LDFLAGS += -fsanitize=address
+ endif
+endif
+ifdef CONFIG_PKG_SANITIZER_UNDEFINED_BEHAVIOR
+ ifeq ($(strip $(PKG_SANITIZER_UNDEFINED_BEHAVIOR)),1)
+ TARGET_CFLAGS += -fsanitize=undefined
+ TARGET_LDFLAGS += -fsanitize=undefined
+ endif
+endif
@@ -5,7 +5,7 @@
# See /LICENSE for more information.
#
-PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread
+PKG_DEFAULT_DEPENDS = +libc +USE_GLIBC:librt +USE_GLIBC:libpthread +USE_SANITIZER_ADDRESS:libasan +USE_SANITIZER_UNDEFINED_BEHAVIOR:libubsan
ifneq ($(PKG_NAME),toolchain)
PKG_FIXUP_DEPENDS = $(if $(filter kmod-%,$(1)),$(2),$(PKG_DEFAULT_DEPENDS) $(filter-out $(PKG_DEFAULT_DEPENDS),$(2)))
@@ -10,6 +10,8 @@ override CONFIG_AUTOREMOVE=
HOST_BUILD_PREFIX:=$(TOOLCHAIN_DIR)
BUILD_DIR_HOST:=$(BUILD_DIR_TOOLCHAIN)
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
include $(INCLUDE_DIR)/host-build.mk
include $(INCLUDE_DIR)/hardening.mk
@@ -22,6 +22,8 @@ PKG_BUILD_DEPENDS:=grub2/host
PKG_ASLR_PIE:=0
PKG_SSP:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
PKG_FLAGS:=nonshared
@@ -13,6 +13,8 @@ PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
PKG_LICENSE:=GPL-3.0-with-GCC-exception
PKG_FLAGS:=hold essential nonshared
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
include $(INCLUDE_DIR)/package.mk
@@ -23,6 +23,8 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
PKG_BUILD_PARALLEL:=1
PKG_ASLR_PIE_REGULAR:=1
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
PKG_USE_MIPS16:=0
PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared
@@ -20,6 +20,8 @@ PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998
PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam
PKG_BUILD_PARALLEL:=1
PKG_CHECK_FORMAT_SECURITY:=0
+PKG_SANITIZER_ADDRESS:=0
+PKG_SANITIZER_UNDEFINED_BEHAVIOR:=0
#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
PKG_ASLR_PIE:=0
This allows to build all user space with Address sanitizer and undefined behavior sanitizer. It will automatically add this to the TRAGET_CFLAGS and TARGET_LDFLAGS of every user space component. This is only working with gcc 10.X, because the system init process will mount /proc after it was started and ASAN needs it already earlier and fails in the versions provided by older compilers. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- config/Config-build.in | 22 ++++++++++++++++++++++ include/hardening.mk | 14 ++++++++++++++ include/package-defaults.mk | 2 +- include/toolchain-build.mk | 2 ++ package/boot/grub2/Makefile | 2 ++ package/libs/toolchain/Makefile | 2 ++ package/network/services/dropbear/Makefile | 2 ++ package/utils/busybox/Makefile | 2 ++ 8 files changed, 47 insertions(+), 1 deletion(-)