CI(linux): ASan/UBSan + hardening; staged install (DESTDIR); bounded BOS fuzzer smoke inside linux job

TheodorNEngoy · sonatique · commit 912869b48163 · 2025-10-01T00:18:17.000+02:00
Closes libusb#1707
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -1,26 +1,17 @@
 name: linux
 
-# Controls when the action will run. Triggers the workflow on push or pull request
-# events but only for the master branch
 on: [push, pull_request]
 
-# A workflow run is made up of one or more jobs that can run
-# sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
   build:
     runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job
-      # can access it
       - uses: actions/checkout@v3
 
       - name: setup prerequisites
         run: |
           sudo apt update
-          sudo apt install autoconf automake libtool libudev-dev m4
+          sudo apt install -y autoconf automake libtool libudev-dev m4 pkg-config clang llvm
 
       - name: bootstrap
         run: ./bootstrap.sh
@@ -48,3 +39,44 @@ jobs:
 
       - name: umockdev test
         run: .private/ci-container-build.sh docker.io/amd64/ubuntu:rolling
+
+      # --- Sanitizers + BOS fuzzer smoke, inside linux job (PRs only) ---
+      - name: Sanitized rebuild (ASan/UBSan + hardening flags)
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          CC: clang
+          CXX: clang++
+          CFLAGS: "-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer -fstack-protector-all -ftrivial-auto-var-init=pattern -Wwrite-strings"
+          CXXFLAGS: "-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer -fstack-protector-all -ftrivial-auto-var-init=pattern -Wwrite-strings"
+          LDFLAGS: "-fsanitize=address,undefined"
+        run: |
+          rm -rf build-asan
+          mkdir -p build-asan
+          cd build-asan
+          CC=$CC CXX=$CXX CFLAGS="$CFLAGS" CXXFLAGS="$CXXFLAGS" LDFLAGS="$LDFLAGS" ../configure
+          make -j
+
+      - name: Stage install (pkg-config + runtime)
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          make -C build-asan install DESTDIR="$PWD/build-asan/stage"
+          echo "PKG_CONFIG_PATH=$PWD/build-asan/stage/usr/local/lib/pkgconfig" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=$PWD/build-asan/stage/usr/local/lib" >> $GITHUB_ENV
+
+      - name: Build & smoke BOS descriptor fuzzer (C, sanitized, bounded)
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          ASAN_OPTIONS: "detect_leaks=0:allocator_may_return_null=1"
+          UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1"
+        run: |
+          # Compile against the STAGED headers/libs (DESTDIR), not /usr/local
+          clang -std=c99 tests/fuzz/fuzz_bos_descriptor.c \
+            -I"$PWD/build-asan/stage/usr/local/include/libusb-1.0" \
+            -fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer \
+            -fstack-protector-all -ftrivial-auto-var-init=pattern -Wwrite-strings \
+            -L"$PWD/build-asan/stage/usr/local/lib" -lusb-1.0 \
+            -o fuzz_bos_descriptor
+
+          ./fuzz_bos_descriptor tests/fuzz/corpus/bos \
+            -seed=1 -runs=200 -max_total_time=15 -timeout=5 -rss_limit_mb=1536 -print_final_stats=1
+      # --- end sanitizers + fuzzer smoke ---
diff --git a/libusb/version_nano.h b/libusb/version_nano.h
@@ -1 +1 @@
-#define LIBUSB_NANO 11989
+#define LIBUSB_NANO 11990

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-#define LIBUSB_NANO 11989`
	`1`	`+#define LIBUSB_NANO 11990`