Commit Graph

77 Commits

Author SHA1 Message Date
Ivan Lozano c5ef21febf Revert "Overflow sanitization in frameworks/ and system/."
This reverts commit c2d7db1c7d.

Change-Id: I3bab6a359bcec605a8120bf106bf121090eb63fe
2018-01-20 01:44:11 +00:00
Ivan Lozano c2d7db1c7d Overflow sanitization in frameworks/ and system/.
Enables signed and unsigned integer overflow sanitization on-by-default
for modules in frameworks/ and system/ by using the integer_overflow
sanitization setting. This applies sanitization to dynamically linked
binaries and shared libraries, and comes with a default set of regex for
functions to exclude from sanitization.
(see build/soong/cc/config/integer_overflow_blacklist.txt)

Prepare to enable minimal runtime diagnostics for integer overflow
sanitization on userdebug and eng builds.

Adds an additional Make and product variable pair to apply integer
overflow sanitization by default to additional code paths.

Bug: 30969751
Bug: 63927620

Test: Included paths are being sanitized.

Test: CTS test suite run on Pixel, runtime errors resolved.
Test: Performance impact in benchmarks acceptable.
Test: Boot-up successful on current Google devices.
Test: Teamfooded in diagnostics mode on Pixel for a month.

Test: Phone calls, camera photos + videos, bluetooth pairing.
Test: Wifi, work profiles, streaming videos, app installation.
Test: Split-screen, airplane mode, battery saver.
Test: Toggling accessibility settings.

Change-Id: Icc7a558c86f8655267afb4ca01b316773325c91a
2018-01-16 10:17:02 -08:00
Vishwath Mohan 96a130bdaf Use the .cfi variant of a static library where needed.
This CL repoints static dependencies to their .cfi variants for CFI
enabled targets. It also disables CFI for host targets because the
version of ar intended for hosts does not have plugin support (which
CFI requires).

Bug: 67507323
Test: m -j40
Change-Id: Id11afd0c8765469858f406aace2a192afff6d042
2017-11-21 14:08:20 -08:00
Vishwath Mohan 23b2d2e531 CFI include/exclude path support (Make)
This CL adds the ability to centrally enable or disable CFI for
components using either an environment or product config
variable. This is a better, nore manageable option that enabling CFI
across each component individually.

Bug: 67507323
Test: CFI_INCLUDE_PATHS= system/nfc m -j40
Test: CFI_EXCLUDE_PATHS = frameworks/av m -j40

Change-Id: I02fe1960a822c124fd101ab5419aa81e2dd51adf
2017-11-08 03:46:31 -08:00
Pirama Arumuga Nainar a8f75983a4 Remove CFI-related WAR that is no longer necessary
Bug: http://b/33678192

Clang has been updated past the revision mentioned in the work around.
So this is no longer necessary.

Test: Build
Change-Id: I08f8e75936bbc3527abc86ba4ce0f2c10382d332
2017-11-04 16:18:29 -07:00
Vishwath Mohan 85f72449ae Revert "Revert "CFI compatibility with static executables and nested archives""
This reverts commit 8350c4c540.

Reverting the revert so a proper fix can be applied.

Change-Id: I69f106dfd294198e03a62bcd88c8f18033410141
2017-11-01 09:21:20 +00:00
Orion Hodson 8350c4c540 Revert "CFI compatibility with static executables and nested archives"
This reverts commit 3d3e1cf260.

Rationale: part of a group of commits that left aosp_x86_64 not
building. (See https://android-build.googleplex.com/builds/
submitted/4426589/aosp_x86_64-eng/latest/logs/build_error.log)

Bug: 30227045
Test: builds
Change-Id: Ie22590abe3d1cdccb8d141baf6480d49dedf8789
2017-10-31 17:41:16 +00:00
Vishwath Mohan 3d3e1cf260 CFI compatibility with static executables and nested archives
This CL makes the following changes:
(a) It disables diagnostics for CFI which requires the runtime ubsan
library (which isn't included in static executables).

(b) It applies the ar flags for CFI correctly for nested .a
archives.

(c) Applies the version script to export CFI shadow for non-static
binaries

(d) Doesn't apply cross-dso CFI for static executables

Bug: 30227045
Test: Static executables build correctly and do not complain about
missing symbols from the ubsan runtime library.
Test: Nested .a files correctly use the gold plugin.

Change-Id: Id8fe3c13f6b76565aafbf1266e95f50d1447a790
2017-10-27 03:26:27 -07:00
Yabin Cui e77c32ea97 Link tsan shared library when tsan is used.
Bug: http://b/25392375
Test: build a unit test with tsan.
Change-Id: Ib2d937f2e311f6670cf341a983740f0ca464f166
2017-10-19 14:33:58 -07:00
Dan Willemsen a3a06feeed Add -lm to the default libs for Linux & Darwin
libm is a default library for device builds, so default it for host
builds as well.

Also removes duplicate additions of -ldl, -lpthread, -lm and -lrt.

Test: m host
Change-Id: I6a07e12053090eb6997b79d4091c28ac9a9022de
2017-09-26 20:26:11 -07:00
Zach Riggle be0811f46c Enhance coverage options to include those needed by Honggfuzz for coverage-driven fuzzing
Test: make m
Bug: 64903541
Change-Id: Ibb7eb126b6e68c03d0336606ec540a62a8e903d4
2017-08-22 18:01:46 -04:00
Colin Cross 1907b9905e Merge "Enable ubsan check flag in build" 2017-07-25 17:48:06 +00:00
Ivan Lozano b4749cb0fc Fix exclusion overriding local integer_overflow.
INTEGER_OVERFLOW_EXCLUDE_PATHS should only apply to the global sanitizer
setting, and should not override local module settings. This pulls out
the check so it occurs earlier and does not interfere with local
settings. This makes Make consistent with Soong's behavior as well.

Bug: 30969751
Test: Created a test build file with this explicitly set, excluded the
path, and checked if it was still being sanitized.

Change-Id: I9020d92bae136b6087d37f71d5337acaefe850b4
2017-07-21 10:53:13 -07:00
liuchao bb2b4bce5b Enable ubsan check flag in build
Ubsan is currently support ARM/ARM64,
so It's OK to enable the build Flag

Test: build test module with flags in Android.mk:
      LOCAL_SANITIZE := undefined
      LOCAL_SANITIZE_DIAG := undefined

BUG:38250996
Change-Id: I6c640bad67353cc736640b2e3c4a0b1812dde3fc
2017-07-21 02:31:09 +00:00
Ivan Lozano 9a82bfdc68 Allow integer_overflow sanitizer path exclusion.
Add support for excluding paths from having integer_overflow applied to
them when using SANITIZE_TARGET=integer_overflow via an
INTEGER_OVERFLOW_EXCLUDE_PATHS make and product variable. This covers
the make side of the change.

Bug: 30969751
Test: Build with SANITIZE_TARGET=integer_overflow
SANITIZE_TARGET_DIAG=integer_overflow
INTEGER_OVERFLOW_EXCLUDE_PATHS=<path> and confirmed this was no
longer being applied to binaries in that path.

Change-Id: I24e328257bc5a7962024c8676a1e23d7d70a8666
2017-07-18 15:14:22 -07:00
Ivan Lozano 05900230fd Merge "Add integer_overflow sanitization build option." 2017-07-07 20:07:20 +00:00
Ivan Lozano 4a363734b3 Add integer_overflow sanitization build option.
Adds the SANITIZE_TARGET=integer_overflow build option to apply signed and
unsigned integer overflow sanitization globally. This implements the
Make side of the build option.

A LOCAL_SANITIZE_BLACKLIST variable is added to allow blacklists to be
defined in make files, mirroring similar functionality provided in Soong.

An additional build option is provided to control whether or not to run
in diagnostics mode, controlled by SANITIZE_TARGET_DIAG. This works the
same way that SANITIZE_TARGET does and currently only supports
'integer_overflow' as an option.

Bug: 30969751
Test: Building with and without the new flags, device boot-up, tested
various permutations of controlling the new flags from build files.

Change-Id: Iacc47e196f21aa1edff5b406bfbc564b5f4e42bd
2017-07-06 18:21:37 -07:00
Dan Austin 9978b5274c Update coverage sanitizer flags in make
Update the coverage sanitizer flags in make to use the new
flavor of coverage sanitization.

Bug: 63108942

Test: Test fuzzer runs with coverage guards.

Change-Id: I12bda1767b69d0d89557e5f8a91da50b0f137ff3
2017-06-29 08:53:02 -07:00
Vishwath Mohan c026f6d0ed Disable CFI for ASAN targets. (Make)
This CL disables CFI if both CFI and ASAN flags are enabled. This
allows ASAN to take precedence where needed, preventing build errors
that would otherwise arise.

Bug: 30227045
Test: SANITIZE_TARGET="address" m -j40
Change-Id: I9073ace0a10eb554d14e418a9b23cc8a8277607d
2017-04-20 08:03:44 -07:00
Vishwath Mohan eddf74cadb Merge "Change the global CFI flag to default to enabled." 2017-04-20 01:39:56 +00:00
Vishwath Mohan 5b69c06f1f Blacklist code for CFI.
Adds the -fsanitize-blacklist option for CFI, using the built in
blacklist at external/compiler-rt/lib/cfi/cfi_blacklist.txt.

Also refactors the CFI cflags and ldflags into ../soong/cc/makevars.go
to ensure they're consistent across Soong and make projects.

Bug: 30227045
Test: ENABLE_CFI=true m -j40 builds and boots.
Test: The blacklist prevents runtime errors that otherwise occur.
Change-Id: I0c2801ed459a3b9adeb37daff3ca212564801259
2017-02-15 12:48:05 -08:00
Vishwath Mohan a2046062fb Disble CFI for ARM32 processes.
This CL disables CFI for 32-bit ARM processes, which is broken due to
a compiler error in the most recent version of clang.

Bug: 35157333
Test: ENABLE_CFI=true m -j40 does not enable CFI for 32-bit processes
Change-Id: I6a6e1d14c8365da1056b4cbccad11ef2f15c70b2
2017-02-08 19:38:20 -08:00
Evgenii Stepanov 8c50e3c4a8 Disable CFI on Mips and add -march to linkflags on ARM.
Mips toolchain does not have ld.gold.
ARM change is a workaround for LLVM r290384.

Bug: 33678192
Test: make ENABLE_CFI=1
Change-Id: I77a127e0b472d5da10bf45a2983527a714339cb8
2017-02-01 12:13:06 -08:00
Vishwath Mohan 45665b40e8 Change the global CFI flag to default to enabled.
This CL changes the ENABLE_CFI flag to default to enabled. Setting it
to false will override local settings to enable CFI.

Bug: 30227045
Bug: 22033465
Test: m -j40 works and device boots
Test: cfi is honored unless the global flag is set.
Change-Id: I16ea3ecb704d4ce70bd91be8a4e5ae6e4f63ea0f
2017-01-24 14:45:40 -08:00
Evgenii Stepanov 34eb9f7f60 Merge "Force Thumb for CFI targets." 2017-01-24 20:52:26 +00:00
Evgenii Stepanov e1b96f3ae5 Run $(AR) with LLVMgold.so plugin for CFI targets.
Bug: 34623182
Test: add LOCAL_SANITIZE:=cfi to some static libraries under libstagefright
Change-Id: I4f0d8cbd794e0ce4737c59a4617e93c7a5defec1
2017-01-23 17:02:22 -08:00
Evgenii Stepanov 81bea1bd40 Force Thumb for CFI targets.
Bug: 22033465
Test: bionic device tests
Change-Id: I66eb83bc7153cc34dde4fa1abfa861182a10f1fa
2017-01-20 14:13:25 -08:00
Vishwath Mohan 8dcfdcebe9 Hide CFI behind a global flag.
This CL ensures that the LOCAL_SANITIZE=cfi is not honored unless it
is enabled globally using ENABLE_CFI='true' first. This allows CFI to
be hidden behind a flag.

Bug: 30227045
Bug: 22033465
Test: m -j40 works and device boots
Test: cfi is correctly honored only when the global flag is set.
Change-Id: If4508ba448bd4260020483f9c11ee849bb419713
2017-01-18 18:04:00 -08:00
Colin Cross 2361842291 Export variable for device sanitize arch to Soong
Also renames the variable from SANITIZE_ARCH to SANITIZE_TARGET_ARCH,
and makes it only apply to the device.

Bug: 29498013
Test: No change to build.ninja files with m -j SANITIZE_TARGET=address
Change-Id: Ib5f6ab448f5d96d2426c983308136670f9a55b7b
2016-11-02 15:20:25 -07:00
Evgenii Stepanov 202c7a786c Enable LOCAL_SANITIZE:=cfi and add LOCAL_SANITIZE_DIAG.
Bug: 22033465

Change-Id: Ie011f888f55a2cfb5c943070a3844cb541812afe
2016-08-29 15:06:57 -07:00
Colin Cross d08699e464 Only add linker_asan as dependency to shared executables
linker_asan is only needed by shared exectuables, prevent adding it as a
dependency of anything else.  Avoids a dependency loop from
linker_asan -> linker -> linker_asan.

Change-Id: Id7744ad8a5901468518fac80741c75e764adb559
2016-07-17 15:30:46 -07:00
Dan Willemsen 59a405c831 Merge "Never add asan libraries to NDK code" 2016-07-07 17:07:43 +00:00
Evgenii Stepanov 7dcb8b80c5 Apply SANITIZE_TARGET=safe-stack to 64 bit targets only.
Bug: 27729263
Change-Id: I214a9f40b94f6e6716aca05be774f014e62f73e8
2016-07-01 20:07:38 +00:00
Evgenii Stepanov 71faa1990b Apply SANITIZE_TARGET and LOCAL_SANITIZE when both are present.
The idea is that targets with LOCAL_SANITIZE = signed-integer-overflow
and SANITIZE_TARGET=safe-stack should get both sanitizers.
This should work just fine for SANITIZE_TARGET=address, too.

Bug: 27729263
Change-Id: Ifee350da4877008fb061bc7f6c700e7fade405bc
2016-07-01 20:06:34 +00:00
Treehugger Robot 9d73af0934 Merge changes I17a96b97,Ib4412657,I73e6d479
* changes:
  Build: Add module-level product configuration of sanitization
  Build: Add option to restrict sanitization by owner
  Build: Add option to restrict sanitization by architecture
2016-07-01 04:26:26 +00:00
Evgenii Stepanov 912b51f8ab Sanitizer build tweaks.
-Wl,-no-undefined is currently disabled for any SANITIZE_TARGET. Limit that to
the sanitizers with a runtime library (i.e. address, thread).

Re-enable the relocation packer for ASan. This has been fixed upstream a long
time ago.

Bug: 27729263
Change-Id: I566df6104de816223dc1c519d41a87629ce9c47c
2016-07-01 00:41:33 +00:00
Evgenii Stepanov 55f73e6c43 Only add libdl dependency for ASan/TSan on target.
Only sanitizers that intercept stuff need that. For example,
SafeStack does not, and I think UBSan too.

Bug: 27729263
Change-Id: I413cd46cc6c6914a363a3c53da7954beacd8f0d8
2016-06-30 23:49:03 +00:00
Andreas Gampe 6b30d770f0 Build: Add module-level product configuration of sanitization
To allow special sanitizer settings for modules shared between
products, add product-specific module settings.

This was copied from the product-specific dexopt settings.

Bug: 29498013
Change-Id: I17a96b975bb6ac7f4ffb3d5b08e2f00b21bd97a1
(cherry picked from commit bb5454b6db)
2016-06-30 16:21:36 -07:00
Andreas Gampe 3d3b0c950d Build: Add option to restrict sanitization by owner
Add Make variable SANITIZE_NEVER_BY_OWNER to selectively
sanitize modules. By default, both are being sanitized. The
value of the variable is interpreted as a space or colon
separated list of owner names.

This can be used to create builds that lower the sanitization
burden by not sanitizing parts of the platform.

Bug: 29498013
Change-Id: Ib4412657fd38ff28a5c0863eddc2acde63c88ebb
(cherry picked from commit ea38d8e95d)
2016-06-30 16:20:03 -07:00
Andreas Gampe cd25740cba Build: Add option to restrict sanitization by architecture
Add Make variable SANITIZE_ARCH to selectively sanitize binaries.
This uses the "bitness," i.e., 32 or 64, to potentially filter
the sanitization. By default, both are being sanitized.

This can be used to create builds that lower the sanitization
burden by not sanitizing "half" of the platform.

Bug: 29498013
Change-Id: I73e6d479f08a970ba912f4f63967d32f3487125f
(cherry picked from commit 0290a416c8)
2016-06-30 16:19:53 -07:00
Evgenii Stepanov 428236614a Add LOCAL_NOSANITIZE.
This can be used to selectively disable individual sanitizers on a
target. For example, some parts of libc should be built with
SafeStack (when requested with SANITIZE_TARGET), but never with
AddressSanitizer. Current build rules specify LOCAL_SANITIZE := never
to disable AddressSanitizer; the idea is to change that to
LOCAL_NOSANITIZE := address thread.

Bug: 27729263
Change-Id: I2b770f2ce3faf6ad6798792327e96adb86fe4a4f
2016-06-30 22:49:17 +00:00
Dan Willemsen f761c0f574 Never add asan libraries to NDK code
We're beginning to enforce (still warning) that NDK code only links to
other NDK code. So we should never need to link them to the address
sanitizer libraries.

This breaks down a bit when platform code starts depending on NDK-built
code, where the NDK-built code should be mostly the same as if it was
built with the platform, but has an implicit LOCAL_SANITIZE := never.
Even so, this change shouldn't make that worse, as we'll still compile
fine, and anything platform code that uses asan should pull in the
shared library.

Change-Id: I81b30b9edd971468c3cb1467f809f184807b505e
2016-06-28 16:47:43 -07:00
Chih-Hung Hsieh ad741e6d66 Link in ASAN library if my_global_santitize is set.
* When my_global_santitize is set and requires ASAN,
  link with ASAN library even when local module is not
  instrumented with ASAN, unless the local module is
  the ASAN library itself.
* Add -Wl,--as-needed to my_ldflags for shared libraries
  so that unneeded ASAN library would not become
  a dependent of the built .so file.
* Change shared file and executable file link argument order
  so that -Wl flags will have effect on linked-in libraries.
* Remove unused ADDRESS_SANITIZER_CONFIG_EXTRA_SHARED_LIBRARIES.

BUG: 27614834

Change-Id: I4eda6003f1f24e498cba91c043dbe1fabe522686
2016-03-15 16:53:46 -07:00
Evgenii Stepanov bbd944a25d Remove RPATH for AddressSanitizer.
RPATH was used in order for ASan executables to prefer ASan libraries
under /data. Now ASan executables use a special loader (linker_asan),
which implements this logic. RPATH is no longer needed.

Change-Id: Ic7a39b022267b80bd0ce3e95a2e822eb308a1fba
2015-12-21 10:29:54 -08:00
Stephen Hines e8119e96fc Switch from clang 3.6 to new clang repository (with 3.8).
This reverts commit f7dbab16ff.

Bug: 23396112

Switch from "-fsanitize-undefined-trap-on-error" to
"-fsanitize-trap=all". The former ends up accidentally leaving
unresolved calls to __ubsan* helper functions in the object file with
clang 3.8. The latter is used when we don't include address sanitizer,
and replaces any misbehavior with a direct call to abort().
2015-11-09 16:32:11 -08:00
Stephen Hines f7dbab16ff Revert "Switch from clang 3.6 to new clang repository (with 3.8)."
This reverts commit 1332828b6e.

Bug: 25141123

Change-Id: Idd5d8757095b2b370046a84aea76bc95e16f3876
2015-10-21 09:09:38 -07:00
Stephen Hines 1332828b6e Switch from clang 3.6 to new clang repository (with 3.8).
Bug: 23396112

Switch from "-fsanitize-undefined-trap-on-error" to
"-fsanitize-trap=all". The former ends up accidentally leaving
unresolved calls to __ubsan* helper functions in the object file with
clang 3.8. The latter is used when we don't include address sanitizer,
and replaces any misbehavior with a direct call to abort().

Change-Id: I8a67461b45f5f1dd9f2d179b6b64a4ca905e999f
2015-10-01 10:42:15 -07:00
Ivan Krasin 74b32b8dfc Add support of SANITIZE_TARGET='address coverage' for fuzzing.
Also, add trace-cmp instrumentation to fuzz_test and host_fuzz_test.

Bug: 22850550
Change-Id: Ifff7b8be693ae991feb0a64e19439370a19b2748
2015-09-18 11:54:43 -07:00
Dan Albert 4c40141a91 Fix sanitizer choice for global vs module.
The sanitizer chosen by the environment (either by SANITIZE_TARGET or
SANITIZE_HOST) should be chosen over the one specified by the module.

Bug: http://b/23330588
Change-Id: I835b7d76e071fc0db2f859f98dfb9d7ff76af245
2015-08-19 20:24:23 -07:00
Ying Wang a05e222368 Set up dependency on ADDRESS_SANITIZER_LINKER
Set up dependency on ADDRESS_SANITIZER_LINKER if address sanitizer is
enabled.

Bug: 22850550
Change-Id: I736fe1d4db9594edf9e82ae96e4631887881dfa5
2015-08-17 17:06:14 -07:00