[openssh-commits] [openssh] 01/01: Add clang sanitizer tests.
git+noreply at mindrot.org
git+noreply at mindrot.org
Sun Jul 3 22:54:07 AEST 2022
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 7394ed80c4de8b228a43c8956cf2fa1b9c6b2622
Author: Darren Tucker <dtucker at dtucker.net>
Date: Sun Jul 3 21:46:44 2022 +1000
Add clang sanitizer tests.
---
.github/configs | 45 ++++++++++++++++++++++++++++++++++++++++++++-
.github/setup_ci.sh | 3 +++
.github/workflows/c-cpp.yml | 5 +++++
openbsd-compat/bsd-misc.c | 12 ++++++++++++
4 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/.github/configs b/.github/configs
index 871a3d41..d0ed7395 100755
--- a/.github/configs
+++ b/.github/configs
@@ -17,6 +17,7 @@ SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
# Stop on first test failure to minimize logs
TEST_SSH_FAIL_FATAL=yes
+unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
@@ -41,6 +42,48 @@ case "$config" in
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
CONFIGFLAGS="--with-pam --with-Werror"
;;
+ clang-sanitize-*)
+ # - We replace chroot with chdir so that the sanitizer in the preauth
+ # privsep process can read /proc.
+ # - clang does not recognizes explicit_bzero so we use bzero
+ # (see https://github.com/google/sanitizers/issues/1507
+ # - openssl and zlib trip ASAN.
+ # - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
+ case "$config" in
+ clang-sanitize-address)
+ CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
+ LDFLAGS="-fsanitize=address"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DASAN_OPTIONS=\"detect_leaks=0:log_path=/tmp/asan.log\"'
+ CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+ TEST_TARGET="t-exec"
+ ;;
+ clang-sanitize-memory)
+ CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins"
+ LDFLAGS="-fsanitize=memory"
+ CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path=/tmp/msan.log\"'
+ CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+ TEST_TARGET="t-exec"
+ ;;
+ clang-sanitize-undefined)
+ CFLAGS="-fsanitize=undefined"
+ LDFLAGS="-fsanitize=undefined"
+ ;;
+ *)
+ echo unknown sanitize option;
+ exit 1;;
+ esac
+ # Find the newest available version of clang
+ for i in `seq 10 99`; do
+ clang=$(which clang-$i 2>/dev/null)
+ [ -x "$clang" ] && CC="$clang"
+ done
+ features="--disable-security-key --disable-pkcs11"
+ hardening="--without-sandbox --without-hardening --without-stackprotect"
+ privsep="--with-privsep-user=root"
+ CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
+ # Because we hobble chroot we can't test it.
+ SKIP_LTESTS=sftp-chroot
+ ;;
gcc-11-Werror)
CC="gcc"
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
@@ -227,5 +270,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
export REGRESS_INTEROP_PUTTY
fi
-export CC CFLAGS LTESTS SUDO
+export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh
index a3bb8587..cd8b72d2 100755
--- a/.github/setup_ci.sh
+++ b/.github/setup_ci.sh
@@ -37,6 +37,9 @@ for TARGET in $TARGETS; do
default|without-openssl|without-zlib|c89|libedit|*pam)
# nothing to do
;;
+ clang-sanitize*)
+ PACKAGES="$PACKAGES clang-12"
+ ;;
clang-*|gcc-*)
compiler=$(echo $TARGET | sed 's/-Werror//')
PACKAGES="$PACKAGES $compiler"
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index 91698fe1..c8b8dbcd 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -32,6 +32,9 @@ jobs:
- { os: ubuntu-20.04, configs: clang-10 }
- { os: ubuntu-20.04, configs: clang-11 }
- { os: ubuntu-20.04, configs: clang-12-Werror }
+ - { os: ubuntu-20.04, configs: clang-sanitize-address }
+ - { os: ubuntu-20.04, configs: clang-sanitize-memory }
+ - { os: ubuntu-20.04, configs: clang-sanitize-undefined }
- { os: ubuntu-20.04, configs: gcc-7 }
- { os: ubuntu-20.04, configs: gcc-8 }
- { os: ubuntu-20.04, configs: gcc-10 }
@@ -106,3 +109,5 @@ jobs:
config.log
regress/*.log
regress/valgrind-out/
+ /tmp/asan.log.*
+ /tnp/msan.log.*
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 3b00ef6d..226a5915 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -446,3 +446,15 @@ localtime_r(const time_t *timep, struct tm *result)
return result;
}
#endif
+
+#ifdef ASAN_OPTIONS
+const char *__asan_default_options(void) {
+ return ASAN_OPTIONS;
+}
+#endif
+
+#ifdef MSAN_OPTIONS
+const char *__msan_default_options(void) {
+ return MSAN_OPTIONS;
+}
+#endif
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list