Compiling with AddressSanitizer

From Libreswan
Revision as of 00:06, 24 May 2015 by Paul Wouters (talk | contribs)
Jump to navigation Jump to search

AddressSanitizer (or ASAN) is a programming tool that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free). AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory. For more information see the [Wikipedia Page https://en.wikipedia.org/wiki/AddressSanitizer] page and the [Google ASAN https://code.google.com/p/address-sanitizer/wiki/] page.

To enable ASAN (which requires clang or gcc >= 4.8) for libreswan, you need to change the linking flags. This can be done by setting the USERLINK environment variable, or setting this variable in the file Makefile.inc.local. See also the USERLINK setting in mk/config.mk.

export USERLINK="-Wl,-z,relro,-z,now -g -pie -fsanitize=address"

You will also need to install libasan (using yum, dnf or apt-get)

Enabling ASAN will cause it to throw leak reports to stdout. Since the addconn binary has some leaks, this will confuse the startup scripts when using addconn to determine the protostack. So to start libreswan, use:

ipsec stop
ASAN_OPTIONS=detect_leaks=0 ipsec _stackmanager start
ipsec pluto --config /etc/ipsec.conf --nofork --stderrlog

In another terminal, run the tests you want to add with adding/upping/removing any connections. When done run:

ipsec whack --shutdown

The ASAN messages will now appear on the terminal you started pluto on.

Note that you should not enable --leak-detective and not link against ElectricFence, because those mechanisms try to do similar things and you will just make it harder to debug any ASAN messages you will get,