Commit graph

110 commits

Author SHA1 Message Date
Ivan Lozano
55220942ed Don't enable CFI diagnostics in include paths.
Don't enable CFI diagnostics by default when applying it in include
paths. Part of a broader effort to remove diagnostics mode from CFI
across the board.

This should reduce performance overhead and also allows the minimal
runtime to work when other ubsan sanitizers are enabled. CFI stack
dumps should include a CFI related function, so it should be apparent
when a crash is CFI-related.

Bug: 117417735
Test: make -j
Change-Id: I3d6326e06d7aa7d9c00382f336301ecb822ae7ec
2019-02-06 11:09:05 -08:00
Kostya Kortchinsky
027324099f Add option to disable Scudo globally [Make]
This adds an option to turn off Scudo globally, and use it for Go.

Bug: 123228023
Test: verify that Scudo is disabled for a Go build, eg:
lunch marlin_svelte-eng && m -j, check that Scudo is not linked in
out/target/product/marlin/system/bin/mediaextractor
Test: verify that Scudo is enabled otherwise, eg:
lunch marlin-eng && m -j, check that Scudo is linked in
out/target/product/marlin/system/bin/mediaextractor

Change-Id: Idc82d581fade544a474e6f2ff0b54dd191ba0818
Merged-In: Idc82d581fade544a474e6f2ff0b54dd191ba0818
2019-02-04 12:35:04 -08:00
Logan Chien
c6d2cf86d1 Fix linker_asan[64] apex bootstrap build error
This commit fixes `linker_asan[64]` apex bootstrap build errors.
Without this change, `make -j SANITIZE_TARGET=address` results in:

  FAILED: ninja: 'out/target/product/walleye/system/bin/linker_asan64',
  needed by 'out/target/product/walleye/system/bin/app_process64',
  missing and no known rule to make it

Test: lunch aosp_walleye-userdebug && make SANITIZE_TARGET=address
Change-Id: I980a36499cd327db307321fc8e4548925e7d56bf
2019-01-31 17:07:50 +08:00
Mikhail Naganov
aa73cefbc4 Use ASAN linker for native tests
Native tests (BUILD_NATIVE_TEST) use their own MODULE_CLASS.
Check for it when selecting the linker for ASAN.

Test: build a native test, readelf -l <test> | grep linker
Change-Id: I34ca8c443c792bdf8b4b1fa812806c56f13a72d0
2018-12-20 16:15:54 -08:00
Ivan Lozano
5fb2de7086 Add make var to avoid recovering with diagnostics.
Add a LOCAL_SANITIZE_NO_RECOVER variable that allows specifying which
sanitizers running in diagnostics mode shouldn't recover. This can help
debugging as we test enabling sanitizers in new libraries since it'll
cause tombstones to be generated along with the diagnostics information.

Bug: 80195448
Bug: 110791537
Test: Compiled test module with this flag, checked compiler command.
Test: Test module crashed, tombstone contained diagnostics information.
Change-Id: I441b9c873e54bf6404325f4d0ac59835350c2889
2018-12-12 10:22:30 -08:00
Treehugger Robot
696dd3bd93 Merge "[make] Disable CFI when building with HWASan." 2018-12-05 22:00:21 +00:00
Evgenii Stepanov
88a95a35fa [make] Disable CFI when building with HWASan.
Same as soong. This needs do match, otherwise, for example, CFI may be
disable in a static library in soong, and left enabled in a shared
library in make; that would not work as CFI only supports DSO granularity.

Bug: 120508119, 112709969
Change-Id: I00d6b1c9c373bcb6804c135407c6eeae88b375b6
Test: hwasan build of master branch boots
2018-12-05 01:15:01 +00:00
Chih-Hung Hsieh
1871062b28 Disable implicit-integer-sign-change by default.
* New clang compiler makes some integer santizers enabling
  implicit-integer-sign-change, but Android code does not
  boot with this new sanitizer yet.

Bug: 119329758
Test: build and boot with new clang compiler
Change-Id: Ic80cde49d3ef51277fbe2a0aa8c1b8f2f8bfd80c
2018-12-04 19:52:14 +00:00
Evgenii Stepanov
ed90746cbd Link hwasan static library to native tests.
They are executables, but they are not EXECUTABLES.

Bug: 112438058
Test: make SANITIZE_TARGET=hwaddress tests
Change-Id: I0f5d8d6259d7df4196bde50ec553b73099f2c8ac
2018-11-01 15:43:14 -07:00
Kostya Kortchinsky
47c10eb2fc Scudo minimal runtime support for make
Scudo is now compatible with the -fsanitize-minimal-runtime, and offers a new
dynamic library that doesn't bundle UBSan.

This patch adds support for this new library in make, preferring it over the
full one, unless a diagnostic dependency is found.

Test: aosp compiled with m -j
Test: local test enabling Scudo for mediaextractor
Change-Id: I99ac0d410b1619de09783f5009476c1ea2995f98
2018-10-11 15:06:11 -07:00
Treehugger Robot
9dcc1d04fb Merge "(make) Add -fsanitize= argument to assembly flags." 2018-09-07 17:23:41 +00:00
Dan Willemsen
f063839de9 Remove GCC support from Make
Test: out/build-aosp_arm64.ninja is the same before/after
Test: build_test on downstream branches
Change-Id: If7f8c12f2f288b1e589689361f9457acae634882
2018-09-06 15:40:00 -07:00
Evgenii Stepanov
9b82b3fa34 (make) Add -fsanitize= argument to assembly flags.
It allows use of sanitizer preprocessor macros (like __has_feature())
in assembly files.

Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: If9da7493d69fa2e03649754c38117e36eb8d222c
2018-09-04 14:38:38 -07:00
Evgenii Stepanov
aec1ffc09b Add extra cflags to hwasan targets.
Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: I572cb20369b2e98ab5153f665af60366cb7f7657
2018-08-28 13:52:08 -07:00
Evgenii Stepanov
8841a7f681 Add "hwaddress" sanitizer.
Build/make support for "hwaddress".

* HWASan supports static binaries, unlike ASan.
* It will be used to build libc. Since static libraries get a .hwasan
  suffix in soong, the logic that moves libc-and-friends to the end
  of the link command line has to be updated.

Bug: 112438058
Test: manual, part of a bigger patch set

Change-Id: I3b52336841012622771a88ba161916bc33071dfe
2018-08-20 14:59:36 -07:00
Pirama Arumuga Nainar
71b8769e5c Merge "Use $(my_prefix)OS instead of HOST_CROSS_OS"
am: 1caedd6bdc

Change-Id: Ic7d6fc7d44167e22c196de8275dc27c88e2f714a
2018-06-27 11:41:12 -07:00
Pirama Arumuga Nainar
407b6aca28 Use $(my_prefix)OS instead of HOST_CROSS_OS
The latter is not module-specific and prevents santizer configuration
for all host modules.

Test: mma HOST_SANITIZE=address hardware/google/apf
Change-Id: I62a448973c1d6526e4b475f3288996e44c88fbc9
2018-06-27 09:42:33 -07:00
Pirama Arumuga Nainar
a743e206ef Merge "Do not enable sanitizers on Windows"
am: 0d53f4b12b

Change-Id: I96fde141a4d27c231947f65f3917da30a311b420
2018-06-26 17:05:24 -07:00
Pirama Arumuga Nainar
c6a3ddf834 Do not enable sanitizers on Windows
Bug: http://b/69933068

Test: m native-host-cross SANITIZE_HOST=address
Change-Id: I0b99797d218dc34d302906d704d991e59698c351
2018-06-26 14:18:14 -07:00
Vishwath Mohan
969a880b2f Merge "Add Scudo support for Make"
am: ab0c76c869

Change-Id: I722875707223675672a59c644f330cb94f2f6576
2018-06-19 13:12:40 -07:00
Kostya Kortchinsky
2cfa99722b Add Scudo support for Make
Scudo is a hardened usermode allocator that is part of LLVM's compiler-rt
project (home of the Sanitizers). clang allows for -fsanitize=scudo as a
possible command line option to link the shared Scudo library to a binary.

This patch add Scudo as a potential sanitize option. Scudo is not compatible
with ASan and TSan and will be disabled if either is enabled.

Test: aosp compiled with m -j
Test: local experiment with LOCAL_SANITIZE := scudo to ensure that a test
target (mediaserver) could be linked with scudo.

Change-Id: I462843b9d5512fba2c4a3ac1a0c356ca90bce4e5
2018-06-19 09:46:35 -07:00
Vishwath Mohan
088506c303 Merge "Enable CFI by default but restrict CFI_INCLUDE_PATHS" into pi-dev
am: d002e49501

Change-Id: I32d21f2dbbbaf4bb7f8a6be033d036ab626cba10
2018-05-25 00:24:49 -07:00
Vishwath Mohan
6106a4ead5 Enable CFI by default but restrict CFI_INCLUDE_PATHS
This CL enables CFI on security sensitive components for product
configs that inherit core_64_bit.mk (and core_64_bit_only.mk). Note
that this only requests the build system to do so. Internal build
logic will dictate if this is actually enabled on the build or
not (CFI is currently disabled for ARM32 and MIPS for example).

In addition, this also restricts CFI_INCLUDE_PATHS and
PRODUCT_CFI_INCLUDE_PATHS to Arm64 architectures only. This helps
narrow which targets enable CFI out of the box.

Bug: 66301104
Test: CFI is enabled on aosp_* targets
Change-Id: I52af499dc34cd4b42fbfb1175f6a37aaf17b65dd
2018-05-24 22:14:03 -07:00
Ivan Lozano
9588875e80 Don't export UBSan minimal runtime symbols.
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.

Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: I4382cc72baefd7fa96cd83e8349e82f7b083f5aa
Merged-In: I4382cc72baefd7fa96cd83e8349e82f7b083f5aa
(cherry picked from commit e508169caf)
2018-05-16 10:41:48 -07:00
Ivan Lozano
e508169caf Don't export UBSan minimal runtime symbols.
When linking in the UBSan minimal runtime, don't export the symbols.
This was resulting in an edge case where symbols were sometimes
undefined at runtime on address sanitized builds if static library
dependencies were integer overflow sanitized.

Bug: 78766744
Test: readelf on libraries show either inclusion of the shared library
or no undefined symbols related to the minimal runtime.
Change-Id: I4382cc72baefd7fa96cd83e8349e82f7b083f5aa
2018-05-11 15:31:25 -07:00
Treehugger Robot
a61f0042d1 Merge "Enable integer_overflow flag for static targets." 2018-04-02 22:36:42 +00:00
Vishwath Mohan
21204e4921 Revert "Change PRODUCT_CFI_INCLUDE_PATHS to opt-out (Make)"
This reverts commit f03a265786.

Change-Id: I3ca0e2f9e3938b49919a8530b393ba3dba4f118c
2018-03-30 02:55:05 +00:00
Vishwath Mohan
f03a265786 Change PRODUCT_CFI_INCLUDE_PATHS to opt-out (Make)
This CL changes PRODUCT_CFI_INCLUDE_PATHS to be included in all
product configs by default. To maintain the status quo, the sanitizer
logic has been modified to only respect this product config for Arm64
devices (where this was previously enabled).

Bug: 63926619
Test: m -j60 # the device still has CFI enabled thanks to the default
opt-in

Change-Id: I22788d92be881d3290568488f5458c85e02ee8c7
2018-03-29 13:07:10 -07:00
Alexey Polyudov
ac1109733d Do not use UBSAN library on HOST or AUX targets
AUX modules are not necessarily using the same toolchain
as the TARGET modules. they don't have to depend on
this library.

Bug: 77221668
Change-Id: Ib50cf0eb26c257ae3eb69a43aa1a12c41d5d39b0
Merged-In: Ib50cf0eb26c257ae3eb69a43aa1a12c41d5d39b0
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
(cherry picked from commit e98e5625ad)
2018-03-28 18:38:16 +00:00
Alexey Polyudov
e98e5625ad Do not use UBSAN library on HOST or AUX targets
AUX modules are not necessarily using the same toolchain
as the TARGET modules. they don't have to depend on
this library.

Change-Id: Ib50cf0eb26c257ae3eb69a43aa1a12c41d5d39b0
Signed-off-by: Alexey Polyudov <apolyudov@google.com>
2018-03-27 17:21:23 -07:00
Ivan Lozano
702e8bdaba Enable integer_overflow flag for static targets.
This allows the integer_overflow LOCAL_SANITIZE setting to be used with
static targets, to mirror Soong.

Bug: 73283972
Test: make SANITIZE_TARGET{,_DIAG}=integer_overflow
Test: Enabled sanitizer in a static target and tested for SIGABRT.
Change-Id: I0103dc3485b63b86a3dd36a7277b5001813b37fd
2018-03-22 14:36:27 -07:00
Ivan Lozano
410e1f8389 Add minimal-runtime support for integer overflows.
Adds Make support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious. This also cleans up the handling of the
integer_overflow flag.

Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Test: Checked integer_overflow flag still emits overflow checks

Change-Id: I11012ed0cbbf51935f549a08bd17109b5ce6f330
Merged-In: I11012ed0cbbf51935f549a08bd17109b5ce6f330
(cherry picked from commit 911cb99bc1)
2018-03-21 10:05:34 -07:00
Ivan Lozano
911cb99bc1 Add minimal-runtime support for integer overflows.
Adds Make support for -fsanitze-minimal-runtime when using
the integer overflow sanitizers. This makes the crashes due to these
sanitizers less mysterious. This also cleans up the handling of the
integer_overflow flag.

Bug: 64091660
Test: Compiled and checked the generated compiler commands
Test: Checked program that overflows for the abort reason
Test: Checked integer_overflow flag still emits overflow checks

Change-Id: I11012ed0cbbf51935f549a08bd17109b5ce6f330
2018-03-06 09:20:21 -08:00
Ivan Lozano
c5ef21febf Revert "Overflow sanitization in frameworks/ and system/."
This reverts commit c2d7db1c7d.

Change-Id: I3bab6a359bcec605a8120bf106bf121090eb63fe
2018-01-20 01:44:11 +00:00
Ivan Lozano
c2d7db1c7d Overflow sanitization in frameworks/ and system/.
Enables signed and unsigned integer overflow sanitization on-by-default
for modules in frameworks/ and system/ by using the integer_overflow
sanitization setting. This applies sanitization to dynamically linked
binaries and shared libraries, and comes with a default set of regex for
functions to exclude from sanitization.
(see build/soong/cc/config/integer_overflow_blacklist.txt)

Prepare to enable minimal runtime diagnostics for integer overflow
sanitization on userdebug and eng builds.

Adds an additional Make and product variable pair to apply integer
overflow sanitization by default to additional code paths.

Bug: 30969751
Bug: 63927620

Test: Included paths are being sanitized.

Test: CTS test suite run on Pixel, runtime errors resolved.
Test: Performance impact in benchmarks acceptable.
Test: Boot-up successful on current Google devices.
Test: Teamfooded in diagnostics mode on Pixel for a month.

Test: Phone calls, camera photos + videos, bluetooth pairing.
Test: Wifi, work profiles, streaming videos, app installation.
Test: Split-screen, airplane mode, battery saver.
Test: Toggling accessibility settings.

Change-Id: Icc7a558c86f8655267afb4ca01b316773325c91a
2018-01-16 10:17:02 -08:00
Vishwath Mohan
96a130bdaf Use the .cfi variant of a static library where needed.
This CL repoints static dependencies to their .cfi variants for CFI
enabled targets. It also disables CFI for host targets because the
version of ar intended for hosts does not have plugin support (which
CFI requires).

Bug: 67507323
Test: m -j40
Change-Id: Id11afd0c8765469858f406aace2a192afff6d042
2017-11-21 14:08:20 -08:00
Vishwath Mohan
23b2d2e531 CFI include/exclude path support (Make)
This CL adds the ability to centrally enable or disable CFI for
components using either an environment or product config
variable. This is a better, nore manageable option that enabling CFI
across each component individually.

Bug: 67507323
Test: CFI_INCLUDE_PATHS= system/nfc m -j40
Test: CFI_EXCLUDE_PATHS = frameworks/av m -j40

Change-Id: I02fe1960a822c124fd101ab5419aa81e2dd51adf
2017-11-08 03:46:31 -08:00
Pirama Arumuga Nainar
a8f75983a4 Remove CFI-related WAR that is no longer necessary
Bug: http://b/33678192

Clang has been updated past the revision mentioned in the work around.
So this is no longer necessary.

Test: Build
Change-Id: I08f8e75936bbc3527abc86ba4ce0f2c10382d332
2017-11-04 16:18:29 -07:00
Vishwath Mohan
85f72449ae Revert "Revert "CFI compatibility with static executables and nested archives""
This reverts commit 8350c4c540.

Reverting the revert so a proper fix can be applied.

Change-Id: I69f106dfd294198e03a62bcd88c8f18033410141
2017-11-01 09:21:20 +00:00
Orion Hodson
8350c4c540 Revert "CFI compatibility with static executables and nested archives"
This reverts commit 3d3e1cf260.

Rationale: part of a group of commits that left aosp_x86_64 not
building. (See https://android-build.googleplex.com/builds/
submitted/4426589/aosp_x86_64-eng/latest/logs/build_error.log)

Bug: 30227045
Test: builds
Change-Id: Ie22590abe3d1cdccb8d141baf6480d49dedf8789
2017-10-31 17:41:16 +00:00
Vishwath Mohan
3d3e1cf260 CFI compatibility with static executables and nested archives
This CL makes the following changes:
(a) It disables diagnostics for CFI which requires the runtime ubsan
library (which isn't included in static executables).

(b) It applies the ar flags for CFI correctly for nested .a
archives.

(c) Applies the version script to export CFI shadow for non-static
binaries

(d) Doesn't apply cross-dso CFI for static executables

Bug: 30227045
Test: Static executables build correctly and do not complain about
missing symbols from the ubsan runtime library.
Test: Nested .a files correctly use the gold plugin.

Change-Id: Id8fe3c13f6b76565aafbf1266e95f50d1447a790
2017-10-27 03:26:27 -07:00
Yabin Cui
e77c32ea97 Link tsan shared library when tsan is used.
Bug: http://b/25392375
Test: build a unit test with tsan.
Change-Id: Ib2d937f2e311f6670cf341a983740f0ca464f166
2017-10-19 14:33:58 -07:00
Dan Willemsen
a3a06feeed Add -lm to the default libs for Linux & Darwin
libm is a default library for device builds, so default it for host
builds as well.

Also removes duplicate additions of -ldl, -lpthread, -lm and -lrt.

Test: m host
Change-Id: I6a07e12053090eb6997b79d4091c28ac9a9022de
2017-09-26 20:26:11 -07:00
Zach Riggle
be0811f46c Enhance coverage options to include those needed by Honggfuzz for coverage-driven fuzzing
Test: make m
Bug: 64903541
Change-Id: Ibb7eb126b6e68c03d0336606ec540a62a8e903d4
2017-08-22 18:01:46 -04:00
Colin Cross
1907b9905e Merge "Enable ubsan check flag in build" 2017-07-25 17:48:06 +00:00
Ivan Lozano
b4749cb0fc Fix exclusion overriding local integer_overflow.
INTEGER_OVERFLOW_EXCLUDE_PATHS should only apply to the global sanitizer
setting, and should not override local module settings. This pulls out
the check so it occurs earlier and does not interfere with local
settings. This makes Make consistent with Soong's behavior as well.

Bug: 30969751
Test: Created a test build file with this explicitly set, excluded the
path, and checked if it was still being sanitized.

Change-Id: I9020d92bae136b6087d37f71d5337acaefe850b4
2017-07-21 10:53:13 -07:00
liuchao
bb2b4bce5b Enable ubsan check flag in build
Ubsan is currently support ARM/ARM64,
so It's OK to enable the build Flag

Test: build test module with flags in Android.mk:
      LOCAL_SANITIZE := undefined
      LOCAL_SANITIZE_DIAG := undefined

BUG:38250996
Change-Id: I6c640bad67353cc736640b2e3c4a0b1812dde3fc
2017-07-21 02:31:09 +00:00
Ivan Lozano
9a82bfdc68 Allow integer_overflow sanitizer path exclusion.
Add support for excluding paths from having integer_overflow applied to
them when using SANITIZE_TARGET=integer_overflow via an
INTEGER_OVERFLOW_EXCLUDE_PATHS make and product variable. This covers
the make side of the change.

Bug: 30969751
Test: Build with SANITIZE_TARGET=integer_overflow
SANITIZE_TARGET_DIAG=integer_overflow
INTEGER_OVERFLOW_EXCLUDE_PATHS=<path> and confirmed this was no
longer being applied to binaries in that path.

Change-Id: I24e328257bc5a7962024c8676a1e23d7d70a8666
2017-07-18 15:14:22 -07:00
Ivan Lozano
05900230fd Merge "Add integer_overflow sanitization build option." 2017-07-07 20:07:20 +00:00
Ivan Lozano
4a363734b3 Add integer_overflow sanitization build option.
Adds the SANITIZE_TARGET=integer_overflow build option to apply signed and
unsigned integer overflow sanitization globally. This implements the
Make side of the build option.

A LOCAL_SANITIZE_BLACKLIST variable is added to allow blacklists to be
defined in make files, mirroring similar functionality provided in Soong.

An additional build option is provided to control whether or not to run
in diagnostics mode, controlled by SANITIZE_TARGET_DIAG. This works the
same way that SANITIZE_TARGET does and currently only supports
'integer_overflow' as an option.

Bug: 30969751
Test: Building with and without the new flags, device boot-up, tested
various permutations of controlling the new flags from build files.

Change-Id: Iacc47e196f21aa1edff5b406bfbc564b5f4e42bd
2017-07-06 18:21:37 -07:00