Running any executable built with asan and libc_scudo results in crashes.
Bug: 131810078
Test: Built the media processes with the sanitizer enabled verifying
Test: that the libc_scudo.so shared library is not listed in the
Test: mediaextractor and the mediaswcodec binaries.
Test: Build the media processes without the sanitizer enabled verifying
Test: that the libc_scudo.so shared library is listed in the
Test: mediaextractor and the mediaswcodec binaries.
Change-Id: Ie55a0414088787ec11d85fffcb04592ed4f23c57
Disable a debugging feature in hwasan that seems to be causing flaky selinux
denials in the boot test:
05-02 12:11:11.360 1663 1663 I auditd : type=1400 audit(0.0:8): avc: denied { read } for comm="iptables-wrappe" path="/proc/1015/statm" dev="proc" ino=30968 scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netmgrd:s0 tclass=file permissive=0
I could not reproduce this locally, but this feature has no users and
I've verified that things keep working without it.
This does not affect any shipped product.
Bug: 131438232
Bug: 112438058
Bug: 131845076
Test: crosshatch_hwasan boot test
Change-Id: I08d46d19151e6d5221cdd56fd6864dae224fae25
Now that the toolchain and bionic both support ifuncs in
static executables, we can turn this on. Reduces size of
walleye_hwasan-userdebug system.img by 11MB.
Change-Id: I2f19b22518153328eee3fdca79d0c851cc513c3a
The properties are no longer required as an APEX module is mutated with
required sanitizers which are gathered by scanning the sanitizers that
are enabled for its direct dependencies.
Bug: 124128094
Test: m on marlin
The extractor libs are found under /system/apex/com.android.media
Merged-In: I55961d400dcbac067a5c0dcecb90e399d4991a70
Change-Id: I55961d400dcbac067a5c0dcecb90e399d4991a70
(cherry picked from commit abda0eb76b)
Add an opaque OnceKey type and use it for all calls to Once in
build/soong. A future patch will convert the arguments to
Once* to OnceKey once users outside build/soong have been updated.
Test: onceper_test.go
Change-Id: Ifcb338e6e603e804e507203c9508d30ffb2df966
This adds an option in Soong to turn off Scudo globally.
Bug: 123228023
Test: enable Scudo for tombstoned, lunch marlin_svelte-eng && m -j, and
make sure that Scudo is not linked in
out/target/product/marlin/system/bin/tombstoned
Test: enable Scudo for tombstoned, lunch marlin-userdebug && m -j, and
make sure that Scudo is linked in
out/target/product/marlin/system/bin/tombstoned
Change-Id: I0b0992446953fc4074bde94507b66f92764c8143
Merged-In: I0b0992446953fc4074bde94507b66f92764c8143
This change the asan version of
https://android-review.googlesource.com/c/platform/build/soong/+/879237
Bug: 123725034
Test: forrest run on asan_cf_x86_pasan
Test: SANITIZE_TARGET=address m init_second_stage
inspect /system/bin/init with readelf
DT_INTERP is set to /system/bin/bootstrap/linker_asan
Change-Id: I0fabe08cc63126aadec18ca8e9f2973c33411a4f
-hwasan-with-ifunc=0 matches the default value of the flag, and there
are no plans to change that.
Test: SANITIZE_TARGET=hwaddress keeps working
Change-Id: Ie46ffa6ae3c42a9677c3a9a3b5cdc6fb62c2c2f0
Fixing the problem that IsSanitizerEnabled always returns false due to
the different sanitizer names from config.SanitizerDevice() and
sanitizerType.String().
Bug: 123708856
Test: SANITIZE_TARGET=hwaddress m com.android.runtime.release
$ ls -al out/soong/.intermediates/art/build/apex/com.android.runtime.release/android_common_hwasan_com.android.runtime.release/image.apex/lib | wc -l
34
$ ls -al out/soong/.intermediates/art/build/apex/com.android.runtime.release/android_common_hwasan_com.android.runtime.release/image.apex/lib64 | wc -l
35
$ ls -al out/target/product/blueline/apex/com.android.runtime.release/lib | wc -l
34
$ ls -al out/target/product/blueline/apex/com.android.runtime.release/lib64 | wc -l
35
Test: inspect out/soong/build.ninja
- Variant of com.android.runtime.release is "android_common_hwasan_com.android.runtime.release"
- Dependencies of com.android.runtime.release are hwasan variants: e.g.,
out/soong/.intermediates/bionic/libc/libc/android_arm64_armv8-2a_kryo385_core_shared_hwasan_com.android.runtime.release/libc.so
Test: ls out/soong/.intermediates/art/build/apex/com.android.runtime.release/android_common_hwasan_com.android.runtime.release/image.apex/lib64/*.so | xargs readelf -d | grep libclang_rt.hwasan | wc -l
29
Change-Id: Idbb1f68a3ea6bdd02351d6f6048c3eedb9cf32d2
This change fixes a bug that sanitizer runtime libs for non-core variant
(e.g. recovery, vendor, etc.) are not installed. It happened because the
dependency to the sanitizer runtime lib was without 'image' variant,
which in most case caused only the core variant - which is the first in
the image variants - of the lib to be installed.
Fixing the issue by correctly selecting image variant depending on the
location of the lib having dependency to the runtime lib.
Bug: 123525879
Test: SANITIZE_TARGET=hwaddress m out/target/product/blueline/boot.img
Test: SANITIZE_TARGET=address m out/target/product/blueline/boot.img
libclang_rt.*.so is under
out/target/product/blueline/root/recovery/system/lib64
Change-Id: Iea7d718d4971e36521f0a3f712a454de944cd7ac
This fixes a problem that APEX is unconditionally mutated for all
sanitizer types. This can make an APEX to include sanitized version
of a lib even when SANITIZE_TARGET is not set. It can happen when lib X
is directly depended on by an APEX (e.g. via native_shared_libs) and X
has a sanitized variant due to the dependency from another library Y
which is force sanitized (via 'sanitize' property). In that case,
regardless of lib Y is in the APEX or not, the APEX chooses the
sanitized variant of lib X since the dependency from APEX to the lib is
created with AddFarVariationDependency.
Fixing this problem by mutating the APEX for a sanitizer type only when
the device is requested to be sanitized.
Bug: 122717287
Test: add libnetd_client to com.android.runtime APEX.
Inspect build.ninja to verify that libnetd_client.so in the runtime APEX
is not a sanitized one.
Change-Id: I918bc8407137d74c5456142b3a29de13df68c0b3
Introduce a new tag earlySharedDepTag which is added in front of the
ordinary sharedDep dependencies. Dependency to the ASAN runtime lib is
added with the new tag.
Bug: 120894259
Bug: 121038155
Test: m; SANITIZE_TARGET=address m
Use readelf -d to see if the runtime lib is in the first DT_NEEDED one.
Change-Id: I90de6ab95df734a99995532d826564b13fe05316
Bug: http://b/123254047
This reverts commit 84757ea7ea.
Reason for revert: veridex asan failure is fixed.
Change-Id: Id03180b8d3d1dc1386fd7e4f800d64dc8578139c
This CL adds configs for the arm64 and x64 fuchsia
device targets, sets up the necessary linker flags,
and disables some functionality that is not currently
supported on Fuchsia.
Bug: 119831161
Test: Compile walleye, internal validation against
fuchsia_arm64-eng and fuchsia_x86_64-eng.
Change-Id: I2881b99d2e3a1995e2d8c00a2d86ee101a972c94
This change first introduces the interface "Sanitizeable" that
module types other than cc.Module can use to be handled by the sanitizer
mutator. APEX module, by implementing the interface, gets sanitizer
variants.
In doing so, sanitizer.go is refactored so that modules have explicit
dependencies to the runtime sanitizer libraries. This allows the runtime
library to be packaged into the APEX when required. This also completes
the dependency graph; updating the prebuilt sanitizer runtime will
trigger rebuilding of modules using the runtime.
Bug: 120894259
Bug: 121038155
Test: SANITIZE_TARGET=hwaddress m apex.test
Test: TARGET_FLATTEN_APEX=true SANITIZE_TARGET=address m
Change-Id: Ia91576ff48cda3c996350308b75bf83fcf7c23d7
Add a no_recover option that allows specifying which sanitizers in
diagnostics modes shouldn't recover. This can help debugging as we test
enabling sanitizers in new libraries since it'll cause tombstones to be
generated along with the diagnostics information.
Bug: 80195448
Bug: 110791537
Test: Compiled test module with this flag, checked compiler command.
Test: Test module crashed, tombstone contained diagnostics information.
Change-Id: Ie938923ef95716c2d49d6cd719ee223ad62755c6
Current implementation does not play nice with -gc-sections.
Bug: 120673911
Test: make SANITIZE_TARGET=hwaddress recovery-persist
Change-Id: I36cd37fb41c0c26c7e747e2c1dd5fadf7a31f4e7
* Add -fno-sanitize=implicit-integer-sign-change when
there is any integer related sanitizer, and this check
is not explicitly specified.
Android core does not boot with this new sanitizer yet.
* Filter out -fno-sanitize=implicit-integer-sign-change
from tooling flags.
Bug: 119329758
Bug: 119557795
Test: make checkbuild, boot, go/clang-r346389-testing
Change-Id: I709de569cb73d070fc4958e2b4387f4041bc5438
Make sanitized targets in recovery depend on ".recovery" flavor of
sanitizer runtime library. This forces installation of the runtime
library in recovery image as long as at least one target depends on it.
Test: hwasan build can boot into recovery
Bug: 112438058
Bug: 119582521
Change-Id: I1b7f9fa4ff5f29acb03c27074512ea24467a3d37
Shadow call stack (SCS) is a security mitigation that uses a
separate stack (the SCS) for return addresses.
The effect of setting sanitize.scs on a shared library is to build
the library and all of its static library dependencies with SCS. This
is similar to CFI and the other sanitizers.
Bug: 112907825
Bug: 119557795
Change-Id: I82fb2b38b10eac911c4d2d120b74fea4af0622ad
HWASan is disabled in recovery strictly for code size, not for
correctness. With this change, HWASan binaries and libraries can be
used in recovery.
The real reason is the make build system which has no idea of the big
picture, and makes it hard to disable HWASan in _all_ recovery modules
recursively. A few static libraries have sneaked in.
Bug: 119582521
Test: sideload an OTA onto a hwasan device
Change-Id: I6536cc7bf5bfb37f939b585545a23c2068fbd47f
llvm-ar takes a --plugin argument but it is ignored for compatibility,
so passing it has no effect.
Change-Id: I4fc51d226d66cf2a43462d3d4ccc12e6e5ebb226
This reverts commit 98d8580c3a.
Change no longer needed with the new LLVM toolchain update.
Bug: 112907825
Bug: 111759196
Change-Id: Ife3ce47a602dd850ac84bb51abc70c0ca157776e
This is achieved via the compiler flag -ffixed-x18 for non-LTO builds
and the linker flag -plugin-opt -mattr=+reserve-x18 for LTO builds.
This change should be reverted once we upgrade past LLVM r340889
which does this by default on Android.
Bug: 112907825
Bug: 111759196
Change-Id: I05473ddbb98319d87d442425b4d715647eae3a38
Scudo is now compatible with the -fsanitize-minimal-runtime, and offers a new
dynamic library that doesn't bundle UBSan.
This patch adds support for this new library in Soong, preferring it over the
full one, unless a UBSan or diagnostic dependency is found.
Test: aosp compiled with m -j
Test: local test enabling Scudo for tombstoned
Change-Id: I17794131db148b33f8a8710ac43302cadf1af314
Make sure that the minimal runtime gets applied to the rest
of the sanitizers we might use from ubsan.
Bug: 80195448
Test: Build success and checked build flags.
Change-Id: I31b211b80bb1068c153a9b65454a2605933c9568
Clang is always used now, so we can remove all the GCC checks. Removing
GCC-specific configuration will happen in the next CL.
Test: m
Change-Id: I4835ecf6062159315d0dfb07b098e60bff033a8a
It allows use of sanitizer preprocessor macros (like __has_feature())
in assembly files.
Bug: 112438058
Test: SANITIZE_TARGET=hwaddress
Change-Id: Id3fed5492ab9473cbb13cd6c0485302412e8b1de
This is a new sanitizer similar to ASan, but with a few differences
from the build system perspective:
* Only runs on AArch64.
* Supports static binaries.
* Bionic itself will be built with HWASan.
* Does not have any "if a library is sanitized than the binary must
be, too" requirements unlike ASan. Even better, individual static
libraries can be freely sanitized or not. We propagate "nosanitize"
from binaries to static libraries anyway, because otherwise there
is no good way to disable hwasan on a binary as a whole.
Same a CFI, we export a list of sanitized static libraries to make.
In fact, we export separate lists for vendor and regular libraries,
because it is possible for one to be sanitized without the other
(i.e. there can be mylib.hwasan.vendor w/o mylib.hwasan or vice
versa).
Bug: 112438058, 112709969
Test: manual, part of a bigger patch set
Change-Id: Ie4fdeb522ac03cf9684526882e84dfee3807b6a7
VisitDepsDepthFirst is almost never correct, as it can't query
dependency tags of multiple dependencies between the same two modules.
Replace VisitDepsDepthFirst with WalkDeps in sanitize.go and
python.go. Also verify the dependency tag before continuing to
recurse to ensure that they don't recurse through genrules and into
unrelated modules.
Test: m checkbuild
Change-Id: I2f7560126f56b51a40ec39dfbdcc18b5891489f7
Scudo is a hardened usermode allocator that is part of LLVM's compiler-rt
project (home of the Sanitizers). clang allows for -fsanitize=scudo as a
possible command line option to link the shared Scudo library to a binary.
This patch add Scudo as a potential sanitize option. Scudo is not compatible
with ASan and TSan and will be disabled if either is enabled.
Bug: 72112048
Test: aosp compiled with m -j
Test: local experiment with scudo: true to ensure that a test target
(tombstoned) could be linked with scudo.
Change-Id: I76bb6c60891d4782f6665a112c4c2bf7c31645da
The SetSanitizer() method in cc/sanitize.go was also enabling
diagnostics for CFI when invoked from the sanitizer mutator. We
shouldn't be doing this, so this CL disables that.
Bug: 79785496
Test: strings libziparchive.so | grep 'ubsan'
Change-Id: Iffe0d4e9c333ac5dfbec3f48e381c232ce5d4463
The current VNDK ABI snapshot expects that CFI is disabled for
components that either in the include paths (from cfi-common.mk) OR
enabled directly in the makefile/blueprint. However, on non-arm64
architectures, the build system was only disabling CFI for vendor
components in the include paths.
This topic corrects it by (a) removing the include paths check to
disable CFI for vendor variants (this CL), and (b) inheriting the CFI
include paths in all product configs to ensure that when we update the
ABI we're able to move to relying exclusively
on (PRODUCT_)CFI_INCLUDE_PATHS.
Bug: 66301104
Test: ABI matches for all architectures.
Change-Id: I648edf13346b18fd88b623682e8590ed44709e0d
This CL restricts CFI_INCLUDE_PATHS and PRODUCT_CFI_INCLUDE_PATHS to
Arm64 only.
Bug: 66301104
Test: x86 targets do not respect the include paths variables
Change-Id: I66ec2fb05435535aaf5d59fdfc7a170a4fdd4f26
Enabling CFI changes the VNDK ABI from the frozen snapshot, so the
only solution for now is to temporarily disable CFI on all vendor
variants for the sake of compatibility.
Bug: 66301104
Test: ABI is consistent.
Change-Id: Ie7dca41e0f647808b08adede09a30f3c746e6bda
