Merge pull request #3759 from evverx/san-compatible

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
         run: |
           sudo apt-get update -qq
           sudo apt-get install -qq gcc clang
-          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x
 
       - name: Compiler version
         env:
@@ -45,14 +45,16 @@ jobs:
           ./autogen.sh
 
           BUILD="$(pwd)/build"
-          mkdir -p "${BUILD}"
+          SAN_BUILD="$(pwd)/san_build"
+          mkdir -p "${BUILD}" "${SAN_BUILD}"
           cd "${BUILD}"
-          if [ "${{ matrix.compiler }}" = "gcc" ]; then
-            ../configure --enable-tests --enable-ubsan --with-distro=unknown
-          else
-            ../configure --enable-tests --with-distro=unknown
-          fi
+          ../configure --enable-tests --with-distro=unknown
 
           # Build
           make -j4
           make DESTDIR="${BUILD}/install" install
+
+          cd "${SAN_BUILD}"
+          CFLAGS="$CFLAGS -fsanitize=address,undefined" ../configure --disable-no-undefined --enable-pam --enable-tests --with-distro=unknown
+          make -j4
+          make DESTDIR="${SAN_BUILD}/install" install

configure.ac

@@ -200,6 +200,11 @@ AC_ARG_ENABLE([werror],
 	[AS_HELP_STRING([--disable-werror], [do not treat warnings as errors])],
 	[enable_werror=$enableval], [enable_werror=yes])
 
+AC_ARG_ENABLE([no_undefined],
+	[AS_HELP_STRING([--disable-no-undefined], [do not pass -Wl,--no-undefined])],
+	[enable_no_undefined=$enableval], [enable_no_undefined=yes])
+AM_CONDITIONAL([ENABLE_NO_UNDEFINED], [test "x$enable_no_undefined" = "xyes"])
+
 # Allow disabling rpath
 AC_ARG_ENABLE([rpath],
 	[AS_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])],
@@ -801,12 +806,15 @@ AC_SUBST(AM_CFLAGS)
 
 CC_CHECK_FLAGS_APPEND([AM_LDFLAGS],[LDFLAGS],[ \
 	-Wl,--as-needed \
-        -Wl,--no-undefined \
         -Wl,--gc-sections \
         -Wl,-z,relro \
         -Wl,-z,now \
         -pie \
         -Wl,-fuse-ld=gold])
+
+AM_COND_IF([ENABLE_NO_UNDEFINED],
+	[CC_CHECK_FLAGS_APPEND([AM_LDFLAGS],[LDFLAGS],[-Wl,--no-undefined])])
+
 AC_SUBST(AM_LDFLAGS)
 
 CFLAGS="$CFLAGS -Wvla -std=gnu11 -fms-extensions"

src/lxc/Makefile.am

@@ -262,10 +262,13 @@ liblxc_la_CFLAGS = -fPIC \
 		   -pthread
 
 liblxc_la_LDFLAGS = -pthread \
-		    -Wl,-no-undefined \
 		    -Wl,-soname,liblxc.so.$(firstword $(subst ., ,@LXC_ABI@)) \
 		    -version-info @LXC_ABI_MAJOR@
 
+if ENABLE_NO_UNDEFINED
+liblxc_la_LDFLAGS += -Wl,-no-undefined
+endif
+
 liblxc_la_LIBADD = $(CAP_LIBS) \
 		   $(OPENSSL_LIBS) \
 		   $(SELINUX_LIBS) \
@@ -1855,8 +1858,7 @@ pam_cgfs_la_LIBADD = $(AM_LIBS) \
 pam_cgfs_la_LDFLAGS = $(AM_LDFLAGS) \
 		      -avoid-version \
 		      -module \
-		      -shared \
-		      -Wl,-no-undefined
+		      -shared
 endif
 endif
 

src/tests/oss-fuzz.sh

@@ -24,10 +24,6 @@ mkdir -p $OUT
 
 export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}
 
-# -fsanitize=... isn't compatible with -Wl,-no-undefined
-# https://github.com/google/sanitizers/issues/380
-sed -i 's/-Wl,-no-undefined *\\/\\/' src/lxc/Makefile.am
-
 # AFL++ and hoggfuzz are both incompatible with lto=thin apparently
 sed -i '/-flto=thin/d' configure.ac
 
@@ -42,7 +38,8 @@ sed -i 's/^AC_CHECK_LIB(util/#/' configure.ac
     --disable-openssl \
     --disable-selinux \
     --disable-seccomp \
-    --disable-capabilities
+    --disable-capabilities \
+    --disable-no-undefined
 
 make -j$(nproc)