Bug 993502 - Adding new extra hardening build flags for debugging
Adding new extra hardening build flags for debugging
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: redhat-rpm-config (Show other bugs)
22
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Florian Festi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-06 01:19 EDT by Dhiru Kholia
Modified: 2016-07-19 06:16 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 06:16:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
add ASAN + TSAN extra hardening macro (2.93 KB, patch)
2013-08-06 01:21 EDT, Dhiru Kholia
no flags Details | Diff

  None (edit)
Description Dhiru Kholia 2013-08-06 01:19:14 EDT
GCC 4.8.1 in Fedora 19 (and higher) supports AddressSanitizer (ASAN) and ThreadSanitizer features.

AddressSanitizer is a fast memory error detector (​http://clang.llvm.org/docs/AddressSanitizer.html).

ThreadSanitizer is a tool that detects data races (​http://clang.llvm.org/docs/ThreadSanitizer.html).

I am proposing to *add* support in Fedora 20 for building package with these features (ASAN, TSAN) on an on-demand basis. 

For details, please see https://fedorahosted.org/fesco/ticket/1153
Comment 1 Dhiru Kholia 2013-08-06 01:21:00 EDT
Created attachment 783184 [details]
add ASAN + TSAN extra hardening macro
Comment 2 Dhiru Kholia 2013-08-06 01:23:27 EDT
I have attached a patch for redhat-rpm-config package to enable building packages with ASAN / TSAN. I have added "_AddressSanitizer_build" and "_ThreadSanitizer_build" flags and turning them on enables ASAN and TSAN respectively.

My patch is tiny, safe and does (should) not affect anything unless the SPEC files are explicitly modified to use these new flags.
Comment 3 Panu Matilainen 2013-08-12 03:24:55 EDT
Just a couple of remarks based on initial, brief look at the thing:
- Introducing two separate flags for mutually exclusive features doesn't seem like such a hot idea
- Enabling either saniziter mode introduces additional build-requires (libasan or libtsan), but there's no way to automatically reflect that in the packages, so builds will just barf up and you'll need to dig into config.log to figure out what went wrong

I'm not opposed to somehow providing a common way of enabling these things but the current approach doesn't IMO cut it.
Comment 4 Panu Matilainen 2013-08-12 03:35:43 EDT
In addition, -fsanitize=thread appear to have further restrictions which aren't taken into account in the patch afaics:

gcc: error: -fsanitize=thread linking must be done with -pie or -shared
Comment 5 Dhiru Kholia 2013-08-12 15:35:50 EDT
(In reply to Panu Matilainen from comment #3)
> Just a couple of remarks based on initial, brief look at the thing:
> - Introducing two separate flags for mutually exclusive features doesn't
> seem like such a hot idea

Yes, it is terrible. Is there an alternate solution which works?

> - Enabling either saniziter mode introduces additional build-requires
> (libasan or libtsan), but there's no way to automatically reflect that in
> the packages, so builds will just barf up and you'll need to dig into
> config.log to figure out what went wrong

True. Is "educating users" via documentation a decent solution?

> I'm not opposed to somehow providing a common way of enabling these things
> but the current approach doesn't IMO cut it.

I agree that the current approach has some problems but this is like my 3rd day
with this package ;)

I am sure that you (and other folks) can come up with a better solution.
Comment 6 Dhiru Kholia 2013-08-12 15:37:42 EDT
(In reply to Panu Matilainen from comment #4)
> In addition, -fsanitize=thread appear to have further restrictions which
> aren't taken into account in the patch afaics:
> 
> gcc: error: -fsanitize=thread linking must be done with -pie or -shared

You are right.

Currently, I rely on the existing "_hardened_build" option being enabled already.
Comment 7 Fedora End Of Life 2013-09-16 12:03:52 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 9 Fedora Admin XMLRPC Client 2014-11-14 02:24:37 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Jaroslav Reznik 2015-03-03 09:59:00 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 11 Fedora End Of Life 2016-07-19 06:16:35 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.