diff --git a/sys/conf/files b/sys/conf/files --- a/sys/conf/files +++ b/sys/conf/files @@ -3803,7 +3803,7 @@ kern/kern_intr.c standard kern/kern_jail.c standard kern/kern_kcov.c optional kcov \ - compile-with "${NORMAL_C:N-fsanitize*} ${NORMAL_C:M-fsanitize=kernel-memory}" + compile-with "${NORMAL_C:N-fsanitize*:N-fasan-shadow-offset*} ${NORMAL_C:M-fsanitize=kernel-memory}" kern/kern_khelp.c standard kern/kern_kthread.c standard kern/kern_ktr.c optional ktr @@ -3871,7 +3871,7 @@ kern/subr_acl_nfs4.c optional ufs_acl | zfs kern/subr_acl_posix1e.c optional ufs_acl kern/subr_asan.c optional kasan \ - compile-with "${NORMAL_C:N-fsanitize*:N-fstack-protector*}" + compile-with "${NORMAL_C:N-fsanitize*:N-fasan-shadow-offset*:N-fstack-protector*}" kern/subr_autoconf.c standard kern/subr_blist.c standard kern/subr_boot.c standard @@ -3883,10 +3883,10 @@ kern/subr_compressor.c standard \ compile-with "${NORMAL_C} -I$S/contrib/zstd/lib/freebsd" kern/subr_coverage.c optional coverage \ - compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*}" + compile-with "${NORMAL_C:N-fsanitize*:N-fasan-shadow-offset*:N-fno-sanitize*}" kern/subr_counter.c standard kern/subr_csan.c optional kcsan \ - compile-with "${NORMAL_C:N-fsanitize*:N-fstack-protector*}" + compile-with "${NORMAL_C:N-fsanitize*:N-fasan-shadow-offset*:N-fstack-protector*}" kern/subr_devstat.c standard kern/subr_disk.c standard kern/subr_early.c standard @@ -3906,7 +3906,7 @@ kern/subr_memdesc.c standard kern/subr_module.c standard kern/subr_msan.c optional kmsan \ - compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fstack-protector*}" + compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*:N-fstack-protector*}" kern/subr_msgbuf.c standard kern/subr_param.c standard kern/subr_pcpu.c standard diff --git a/sys/conf/files.arm64 b/sys/conf/files.arm64 --- a/sys/conf/files.arm64 +++ b/sys/conf/files.arm64 @@ -81,7 +81,7 @@ arm64/arm64/uma_machdep.c standard arm64/arm64/undefined.c standard arm64/arm64/unwind.c optional ddb | kdtrace_hooks | stack \ - compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*}" + compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*}" arm64/arm64/vfp.c standard arm64/arm64/vm_machdep.c standard @@ -124,10 +124,10 @@ arm64/vmm/vmm_reset.c optional vmm arm64/vmm/vmm_call.S optional vmm arm64/vmm/vmm_hyp_exception.S optional vmm \ - compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*} -fpie" \ + compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*:N-mbranch-protection*} -fpie" \ no-obj arm64/vmm/vmm_hyp.c optional vmm \ - compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*} -fpie" \ + compile-with "${NORMAL_C:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*:N-mbranch-protection*} -fpie" \ no-obj vmm_hyp_blob.elf.full optional vmm \ dependency "vmm_hyp.o vmm_hyp_exception.o" \ diff --git a/sys/conf/kern.post.mk b/sys/conf/kern.post.mk --- a/sys/conf/kern.post.mk +++ b/sys/conf/kern.post.mk @@ -245,21 +245,21 @@ NM='${NM}' NMFLAGS='${NMFLAGS}' sh $S/kern/genoffset.sh genoffset.o > ${.TARGET} genoffset.o: $S/kern/genoffset.c - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon $S/kern/genoffset.c # genoffset_test.o is not actually used for anything - the point of compiling it # is to exercise the CTASSERT that checks that the offsets in the offset.inc # _lite struct(s) match those in the original(s). genoffset_test.o: $S/kern/genoffset.c offset.inc - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon -DOFFSET_TEST $S/kern/genoffset.c -o ${.TARGET} assym.inc: $S/kern/genassym.sh genassym.o genoffset_test.o NM='${NM}' NMFLAGS='${NMFLAGS}' sh $S/kern/genassym.sh genassym.o > ${.TARGET} genassym.o: $S/$M/$M/genassym.c offset.inc - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon $S/$M/$M/genassym.c OBJS_DEPEND_GUESS+= opt_global.h diff --git a/sys/conf/kern.pre.mk b/sys/conf/kern.pre.mk --- a/sys/conf/kern.pre.mk +++ b/sys/conf/kern.pre.mk @@ -94,13 +94,15 @@ KASAN_ENABLED!= grep KASAN opt_global.h || true ; echo .if !empty(KASAN_ENABLED) SAN_CFLAGS+= -DSAN_NEEDS_INTERCEPTORS -DSAN_INTERCEPTOR_PREFIX=kasan \ - -fsanitize=kernel-address \ - -mllvm -asan-stack=true \ + -fsanitize=kernel-address +.if ${COMPILER_TYPE} == "clang" +SAN_CFLAGS+= -mllvm -asan-stack=true \ -mllvm -asan-instrument-dynamic-allocas=true \ -mllvm -asan-globals=true \ -mllvm -asan-use-after-scope=true \ -mllvm -asan-instrumentation-with-call-threshold=0 \ -mllvm -asan-instrument-byval=false +.endif .if ${MACHINE_CPUARCH} == "aarch64" # KASAN/ARM64 TODO: -asan-mapping-offset is calculated from: @@ -110,7 +112,11 @@ # KASAN_MIN_ADDRESS, and this offset value should eventually be # upstreamed similar to: https://reviews.llvm.org/D98285 # +.if ${COMPILER_TYPE} == "clang" SAN_CFLAGS+= -mllvm -asan-mapping-offset=0xdfff208000000000 +.else +SAN_CFLAGS+= -fasan-shadow-offset=0xdfff208000000000 +.endif .elif ${MACHINE_CPUARCH} == "amd64" && \ ${COMPILER_TYPE} == "clang" && ${COMPILER_VERSION} >= 180000 # Work around https://github.com/llvm/llvm-project/issues/87923, which leads to diff --git a/sys/conf/kmod.mk b/sys/conf/kmod.mk --- a/sys/conf/kmod.mk +++ b/sys/conf/kmod.mk @@ -526,13 +526,13 @@ sh ${SYSDIR}/kern/genassym.sh genassym.o > ${.TARGET} genassym.o: ${SYSDIR}/${MACHINE}/${MACHINE}/genassym.c offset.inc genassym.o: ${SRCS:Mopt_*.h} - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} -fcommon \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} -fcommon \ ${SYSDIR}/${MACHINE}/${MACHINE}/genassym.c offset.inc: ${SYSDIR}/kern/genoffset.sh genoffset.o sh ${SYSDIR}/kern/genoffset.sh genoffset.o > ${.TARGET} genoffset.o: ${SYSDIR}/kern/genoffset.c genoffset.o: ${SRCS:Mopt_*.h} - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} -fcommon \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} -fcommon \ ${SYSDIR}/kern/genoffset.c CLEANDEPENDFILES+= ${_ILINKS} diff --git a/sys/modules/linux64/Makefile b/sys/modules/linux64/Makefile --- a/sys/modules/linux64/Makefile +++ b/sys/modules/linux64/Makefile @@ -101,7 +101,7 @@ ${.ALLSRC:M*.S:u} -o ${.TARGET} linux_genassym.o: offset.inc - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon ${.IMPSRC} .if !defined(KERNBUILDDIR) diff --git a/sys/modules/vmm/Makefile b/sys/modules/vmm/Makefile --- a/sys/modules/vmm/Makefile +++ b/sys/modules/vmm/Makefile @@ -41,11 +41,11 @@ vmm_hyp_exception.o: vmm_hyp_exception.S ${CC} -c -x assembler-with-cpp -DLOCORE \ - ${CFLAGS:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*} \ + ${CFLAGS:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*:N-fasan-shadow-offset*} \ ${.IMPSRC} -o ${.TARGET} -fpie vmm_hyp.o: vmm_hyp.c - ${CC} -c ${CFLAGS:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*} \ + ${CC} -c ${CFLAGS:N-fsanitize*:N-fno-sanitize*:N-mbranch-protection*:N-fasan-shadow-offset*} \ ${.IMPSRC} -o ${.TARGET} -fpie vmm_hyp_blob.elf.full: vmm_hyp_exception.o vmm_hyp.o @@ -135,11 +135,11 @@ ${CC} -c ${CFLAGS:N-flto:N-fno-common} -fcommon ${.IMPSRC} vmx_genassym.o: offset.inc - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon ${.IMPSRC} svm_genassym.o: offset.inc - ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*} \ + ${CC} -c ${CFLAGS:N-flto*:N-fno-common:N-fsanitize*:N-fno-sanitize*:N-fasan-shadow-offset*} \ -fcommon ${.IMPSRC} .include