openssh bugs - Jun 2022 - [Bug 3441] New: Build openssh with sanitizer flags enabled

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

            Bug ID: 3441
           Summary: Build openssh with sanitizer flags enabled
           Product: Portable OpenSSH
           Version: 8.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Build system
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

$ ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address

ends with 

configure: error: *** compiler cannot create working executables, check
config.log ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
What did it say when you checked config.log?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Also, what platform, compiler, and architecture (Hardware = "Other"?)
was this on?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #3 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
The 1st error was caused by lack of libasan.

After I installed it, the configure hangs on 
checking if select and/or poll works with descriptor rlimit...

I test on x86_64 Fedora 35 Linux, 

$ gcc --version
gcc (GCC) 11.3.1 20220421 (Red Hat 11.3.1-2)
Copyright (C) 2021 Free Software Foundation, Inc.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

Dmitry Belyavskiy <dbelyavs at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|Other                       |ARM64

--- Comment #4 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
See also https://bugzilla.redhat.com/show_bug.cgi?id=2070137

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

Dmitry Belyavskiy <dbelyavs at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|ARM64                       |amd64

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Th(In reply to Dmitry Belyavskiy from comment #4)
> See also https://bugzilla.redhat.com/show_bug.cgi?id=2070137
I split out the rlimit+select check before I read that bug but got the
same result:

$ ./a.out 
==2109378==Can't open /proc/2109377/task for reading.
==2109377==LeakSanitizer has encountered a fatal error.
==2109377==HINT: For debugging, try setting environment variable
LSAN_OPTIONS=verbosity=1:log_threads=1
==2109377==HINT: LeakSanitizer does not work under ptrace (strace, gdb,
etc)

You can work around that by skipping the rlimit+select check if
--without-sandbox is set, which gets to the dlsym problem:

usr/bin/ld: ./libssh.a(ssh-pkcs11.o): undefined reference to symbol
'dlsym@@GLIBC_2.2.5'
//usr/lib64/libdl.so.2: error adding symbols: DSO missing from command
line
collect2: error: ld returned 1 exit status

which you can work around by disabling the things that need dlsym
("--disable-security-key --disable-pkcs11") which brings us to the
final problem: the leak checker in the preauth privsep process can't
open /proc because that process is in a chroot and fails when the
process exits: 

$ sudo `pwd`/sshd -ddde -p 2022
[...]
debug3: mm_send_keystate: Finished sending state [preauth]
==2194517==Can't open /proc/2194515/task for reading.
==2194515==LeakSanitizer has encountered a fatal error.
==2194515==HINT: For debugging, try setting environment variable
LSAN_OPTIONS=verbosity=1:log_threads=1
==2194515==HINT: LeakSanitizer does not work under ptrace (strace, gdb,
etc)

This one is a dealbreaker as long as the leak checker needs access to
/proc since privsep is required.  You could try hacking the code to
disable privsep for testing purposes but be aware that's now an
untested and unsupported configuration.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #6 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3596
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3596&action=edit
Skip rlimit+select check if sandbox is disabled.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #7 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
Thank you!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #8 from Darren Tucker <dtucker at dtucker.net> ---
Oh, one other possibility for testing purposes: you could also mount
/proc inside the privsep chroot.  Obviously this would be a terrible
idea  to run in production since in this context /proc is probably more
than 50% attack surface and chroot escapes by weight.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #9 from Darren Tucker <dtucker at dtucker.net> ---
I committed a change to configure.ac to skip the check in this case.

With that and the following configure invocation on an unmodified
current source tree I got it to work, at least as far as getting a leak
report from the preauth privsep process.  This seems to work for both
gcc and clang, although the reports from clang seem much better.

$ sudo mkdir -p /chroot/proc
$ sudo mount -t proc proc /chroot/proc
$ CC=clang-14 ./configure --disable-security-key --disable-pkcs11
--without-sandbox --with-cflags=-fsanitize=address
--with-ldflags=-fsanitize=address --with-privsep-path=/chroot
--with-privsep-user=root

Obviously, using "root" as the privsep user is not suitable for
production use.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441

--- Comment #10 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
Thank you very much!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.