From e7695f95ae714f3168ce953fd022ddfb40f03e67 Mon Sep 17 00:00:00 2001 From: Sergey Vojtovich Date: Fri, 7 Jun 2019 12:24:27 +0400 Subject: [PATCH] MDEV-19360 - Disable _FORTIFY_SOURCE for ASAN builds Those two may work incorrectly together. Namely, ASAN may produce false positives or false negatives. For details see https://github.com/google/sanitizers/wiki/AddressSanitizer#faq Make SECURITY_HARDENED disabled by default if WITH_ASAN=ON Based on contribution by Eugene Kosov. --- CMakeLists.txt | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 32e9b1e9498..083fa753b88 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -191,6 +191,8 @@ INCLUDE(check_compiler_flag) OPTION(WITH_ASAN "Enable address sanitizer" OFF) IF (WITH_ASAN) + # this flag might be set by default on some OS + MY_CHECK_AND_SET_COMPILER_FLAG("-U_FORTIFY_SOURCE" DEBUG RELWITHDEBINFO) # gcc 4.8.1 and new versions of clang MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=address -O1 -Wno-error -fPIC" DEBUG RELWITHDEBINFO) @@ -216,22 +218,22 @@ ENDIF() OPTION(WITH_UBSAN "Enable undefined behavior sanitizer" OFF) IF (WITH_UBSAN) - IF(SECURITY_HARDENED) - MESSAGE(FATAL_ERROR "WITH_UBSAN and SECURITY_HARDENED are mutually exclusive") - ENDIF() - MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=undefined" DEBUG RELWITHDEBINFO) + MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=undefined -U_FORTIFY_SOURCE" DEBUG RELWITHDEBINFO) ENDIF() # enable security hardening features, like most distributions do # in our benchmarks that costs about ~1% of performance, depending on the load -IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6") +IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6" OR WITH_ASAN OR WITH_UBSAN) SET(security_default OFF) ELSE() SET(security_default ON) ENDIF() OPTION(SECURITY_HARDENED "Use security-enhancing compiler features (stack protector, relro, etc)" ${security_default}) IF(SECURITY_HARDENED) + IF(WITH_ASAN OR WITH_UBSAN) + MESSAGE(FATAL_ERROR "WITH_ASAN/WITH_UBSAN and SECURITY_HARDENED are mutually exclusive") + ENDIF() # security-enhancing flags MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC") MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")