1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only 2 config ARCH_HAS_UBSAN !! 2 config ARCH_HAS_UBSAN_SANITIZE_ALL 3 bool 3 bool 4 4 5 menuconfig UBSAN 5 menuconfig UBSAN 6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker" 7 depends on ARCH_HAS_UBSAN << 8 help 7 help 9 This option enables the Undefined Be 8 This option enables the Undefined Behaviour sanity checker. 10 Compile-time instrumentation is used 9 Compile-time instrumentation is used to detect various undefined 11 behaviours at runtime. For more deta 10 behaviours at runtime. For more details, see: 12 Documentation/dev-tools/ubsan.rst 11 Documentation/dev-tools/ubsan.rst 13 12 14 if UBSAN 13 if UBSAN 15 14 16 config UBSAN_TRAP 15 config UBSAN_TRAP 17 bool "Abort on Sanitizer warnings (sma !! 16 bool "On Sanitizer warnings, abort the running kernel code" 18 depends on !COMPILE_TEST 17 depends on !COMPILE_TEST >> 18 depends on $(cc-option, -fsanitize-undefined-trap-on-error) 19 help 19 help 20 Building kernels with Sanitizer feat 20 Building kernels with Sanitizer features enabled tends to grow 21 the kernel size by around 5%, due to 21 the kernel size by around 5%, due to adding all the debugging 22 text on failure paths. To avoid this 22 text on failure paths. To avoid this, Sanitizer instrumentation 23 can just issue a trap. This reduces 23 can just issue a trap. This reduces the kernel size overhead but 24 turns all warnings (including potent 24 turns all warnings (including potentially harmless conditions) 25 into full exceptions that abort the 25 into full exceptions that abort the running kernel code 26 (regardless of context, locks held, 26 (regardless of context, locks held, etc), which may destabilize 27 the system. For some system builders 27 the system. For some system builders this is an acceptable 28 trade-off. 28 trade-off. 29 29 30 Also note that selecting Y will caus !! 30 config CC_HAS_UBSAN_BOUNDS 31 with an "illegal instruction" error !! 31 def_bool $(cc-option,-fsanitize=bounds) 32 when a UBSAN violation occurs. (Exce << 33 will report which Sanitizer failed.) << 34 determine whether an Oops was caused << 35 out the details of a UBSAN violation << 36 output less useful for bug reports. << 37 << 38 config CC_HAS_UBSAN_BOUNDS_STRICT << 39 def_bool $(cc-option,-fsanitize=bounds << 40 help << 41 The -fsanitize=bounds-strict option << 42 but uses the more strict handling of << 43 of flexible arrays, which is compara << 44 -fsanitize=bounds. << 45 32 46 config CC_HAS_UBSAN_ARRAY_BOUNDS 33 config CC_HAS_UBSAN_ARRAY_BOUNDS 47 def_bool $(cc-option,-fsanitize=array- 34 def_bool $(cc-option,-fsanitize=array-bounds) 48 help << 49 Under Clang, the -fsanitize=bounds o << 50 of two more specific options, -fsani << 51 -fsanitize=local-bounds. However, -f << 52 only be used when trap mode is enabl << 53 CONFIG_LOCAL_BOUNDS.) Explicitly che << 54 so that we can build up the options << 55 with or without UBSAN_TRAP. << 56 35 57 config UBSAN_BOUNDS 36 config UBSAN_BOUNDS 58 bool "Perform array index bounds check 37 bool "Perform array index bounds checking" 59 default UBSAN 38 default UBSAN 60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | !! 39 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS 61 help 40 help 62 This option enables detection of dir 41 This option enables detection of directly indexed out of bounds 63 array accesses, where the array size 42 array accesses, where the array size is known at compile time. 64 Note that this does not protect arra 43 Note that this does not protect array overflows via bad calls 65 to the {str,mem}*cpy() family of fun 44 to the {str,mem}*cpy() family of functions (that is addressed 66 by CONFIG_FORTIFY_SOURCE). 45 by CONFIG_FORTIFY_SOURCE). 67 46 68 config UBSAN_BOUNDS_STRICT !! 47 config UBSAN_ONLY_BOUNDS 69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 48 def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS 70 help !! 49 depends on UBSAN_BOUNDS 71 GCC's bounds sanitizer. This option !! 50 help 72 correct options in Makefile.ubsan. !! 51 This is a weird case: Clang's -fsanitize=bounds includes >> 52 -fsanitize=local-bounds, but it's trapping-only, so for >> 53 Clang, we must use -fsanitize=array-bounds when we want >> 54 traditional array bounds checking enabled. For GCC, we >> 55 want -fsanitize=bounds. 73 56 74 config UBSAN_ARRAY_BOUNDS 57 config UBSAN_ARRAY_BOUNDS 75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 58 def_bool CC_HAS_UBSAN_ARRAY_BOUNDS 76 help !! 59 depends on UBSAN_BOUNDS 77 Clang's array bounds sanitizer. This << 78 the correct options in Makefile.ubsa << 79 60 80 config UBSAN_LOCAL_BOUNDS 61 config UBSAN_LOCAL_BOUNDS 81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T !! 62 bool "Perform array local bounds checking" 82 help !! 63 depends on UBSAN_TRAP 83 This option enables Clang's -fsaniti !! 64 depends on $(cc-option,-fsanitize=local-bounds) 84 when an access through a pointer tha !! 65 help 85 of a statically-known size, where an !! 66 This option enables -fsanitize=local-bounds which traps when an 86 be known statically) is out-of-bound !! 67 exception/error is detected. Therefore, it may only be enabled 87 trap-only, it depends on CONFIG_UBSA !! 68 with CONFIG_UBSAN_TRAP. >> 69 >> 70 Enabling this option detects errors due to accesses through a >> 71 pointer that is derived from an object of a statically-known size, >> 72 where an added offset (which may not be known statically) is >> 73 out-of-bounds. 88 74 89 config UBSAN_SHIFT 75 config UBSAN_SHIFT 90 bool "Perform checking for bit-shift o 76 bool "Perform checking for bit-shift overflows" >> 77 default UBSAN 91 depends on $(cc-option,-fsanitize=shif 78 depends on $(cc-option,-fsanitize=shift) 92 help 79 help 93 This option enables -fsanitize=shift 80 This option enables -fsanitize=shift which checks for bit-shift 94 operations that overflow to the left 81 operations that overflow to the left or go switch to negative 95 for signed types. 82 for signed types. 96 83 97 config UBSAN_DIV_ZERO 84 config UBSAN_DIV_ZERO 98 bool "Perform checking for integer div 85 bool "Perform checking for integer divide-by-zero" 99 depends on $(cc-option,-fsanitize=inte 86 depends on $(cc-option,-fsanitize=integer-divide-by-zero) 100 # https://github.com/ClangBuiltLinux/l << 101 # https://github.com/llvm/llvm-project << 102 depends on !CC_IS_CLANG << 103 help 87 help 104 This option enables -fsanitize=integ 88 This option enables -fsanitize=integer-divide-by-zero which checks 105 for integer division by zero. This i 89 for integer division by zero. This is effectively redundant with the 106 kernel's existing exception handling 90 kernel's existing exception handling, though it can provide greater 107 debugging information under CONFIG_U 91 debugging information under CONFIG_UBSAN_REPORT_FULL. 108 92 109 config UBSAN_UNREACHABLE 93 config UBSAN_UNREACHABLE 110 bool "Perform checking for unreachable 94 bool "Perform checking for unreachable code" 111 # objtool already handles unreachable 95 # objtool already handles unreachable checking and gets angry about 112 # seeing UBSan instrumentation located 96 # seeing UBSan instrumentation located in unreachable places. 113 depends on !(OBJTOOL && (STACK_VALIDAT !! 97 depends on !STACK_VALIDATION 114 depends on $(cc-option,-fsanitize=unre 98 depends on $(cc-option,-fsanitize=unreachable) 115 help 99 help 116 This option enables -fsanitize=unrea 100 This option enables -fsanitize=unreachable which checks for control 117 flow reaching an expected-to-be-unre 101 flow reaching an expected-to-be-unreachable position. 118 102 119 config UBSAN_SIGNED_WRAP << 120 bool "Perform checking for signed arit << 121 default UBSAN << 122 depends on !COMPILE_TEST << 123 # The no_sanitize attribute was introd << 124 depends on !CC_IS_GCC || GCC_VERSION > << 125 depends on $(cc-option,-fsanitize=sign << 126 help << 127 This option enables -fsanitize=signe << 128 for wrap-around of any arithmetic op << 129 This currently performs nearly no in << 130 kernel's use of -fno-strict-overflow << 131 arithmetic undefined behavior into w << 132 sanitizer versions will allow for wr << 133 exclusively undefined behavior). << 134 << 135 config UBSAN_BOOL 103 config UBSAN_BOOL 136 bool "Perform checking for non-boolean 104 bool "Perform checking for non-boolean values used as boolean" 137 default UBSAN 105 default UBSAN 138 depends on $(cc-option,-fsanitize=bool 106 depends on $(cc-option,-fsanitize=bool) 139 help 107 help 140 This option enables -fsanitize=bool 108 This option enables -fsanitize=bool which checks for boolean values being 141 loaded that are neither 0 nor 1. 109 loaded that are neither 0 nor 1. 142 110 143 config UBSAN_ENUM 111 config UBSAN_ENUM 144 bool "Perform checking for out of boun 112 bool "Perform checking for out of bounds enum values" 145 default UBSAN 113 default UBSAN 146 depends on $(cc-option,-fsanitize=enum 114 depends on $(cc-option,-fsanitize=enum) 147 help 115 help 148 This option enables -fsanitize=enum 116 This option enables -fsanitize=enum which checks for values being loaded 149 into an enum that are outside the ra 117 into an enum that are outside the range of given values for the given enum. 150 118 151 config UBSAN_ALIGNMENT 119 config UBSAN_ALIGNMENT 152 bool "Perform checking for misaligned 120 bool "Perform checking for misaligned pointer usage" 153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 121 default !HAVE_EFFICIENT_UNALIGNED_ACCESS 154 depends on !UBSAN_TRAP && !COMPILE_TES 122 depends on !UBSAN_TRAP && !COMPILE_TEST 155 depends on $(cc-option,-fsanitize=alig 123 depends on $(cc-option,-fsanitize=alignment) 156 help 124 help 157 This option enables the check of una 125 This option enables the check of unaligned memory accesses. 158 Enabling this option on architecture 126 Enabling this option on architectures that support unaligned 159 accesses may produce a lot of false 127 accesses may produce a lot of false positives. >> 128 >> 129 config UBSAN_SANITIZE_ALL >> 130 bool "Enable instrumentation for the entire kernel" >> 131 depends on ARCH_HAS_UBSAN_SANITIZE_ALL >> 132 default y >> 133 help >> 134 This option activates instrumentation for the entire kernel. >> 135 If you don't enable this option, you have to explicitly specify >> 136 UBSAN_SANITIZE := y for the files/directories you want to check for UB. >> 137 Enabling this option will get kernel image size increased >> 138 significantly. 160 139 161 config TEST_UBSAN 140 config TEST_UBSAN 162 tristate "Module for testing for undef 141 tristate "Module for testing for undefined behavior detection" 163 depends on m 142 depends on m 164 help 143 help 165 This is a test module for UBSAN. 144 This is a test module for UBSAN. 166 It triggers various undefined behavi 145 It triggers various undefined behavior, and detect it. 167 146 168 endif # if UBSAN 147 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.