1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN !! 2 config ARCH_HAS_UBSAN_SANITIZE_ALL
3 bool 3 bool
4 4
5 menuconfig UBSAN 5 menuconfig UBSAN
6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker"
7 depends on ARCH_HAS_UBSAN <<
8 help 7 help
9 This option enables the Undefined Be 8 This option enables the Undefined Behaviour sanity checker.
10 Compile-time instrumentation is used 9 Compile-time instrumentation is used to detect various undefined
11 behaviours at runtime. For more deta 10 behaviours at runtime. For more details, see:
12 Documentation/dev-tools/ubsan.rst 11 Documentation/dev-tools/ubsan.rst
13 12
14 if UBSAN 13 if UBSAN
15 14
16 config UBSAN_TRAP 15 config UBSAN_TRAP
17 bool "Abort on Sanitizer warnings (sma !! 16 bool "On Sanitizer warnings, abort the running kernel code"
18 depends on !COMPILE_TEST !! 17 depends on $(cc-option, -fsanitize-undefined-trap-on-error)
19 help 18 help
20 Building kernels with Sanitizer feat 19 Building kernels with Sanitizer features enabled tends to grow
21 the kernel size by around 5%, due to 20 the kernel size by around 5%, due to adding all the debugging
22 text on failure paths. To avoid this 21 text on failure paths. To avoid this, Sanitizer instrumentation
23 can just issue a trap. This reduces 22 can just issue a trap. This reduces the kernel size overhead but
24 turns all warnings (including potent 23 turns all warnings (including potentially harmless conditions)
25 into full exceptions that abort the 24 into full exceptions that abort the running kernel code
26 (regardless of context, locks held, 25 (regardless of context, locks held, etc), which may destabilize
27 the system. For some system builders 26 the system. For some system builders this is an acceptable
28 trade-off. 27 trade-off.
29 28
30 Also note that selecting Y will caus !! 29 config UBSAN_KCOV_BROKEN
31 with an "illegal instruction" error !! 30 def_bool KCOV && CC_HAS_SANCOV_TRACE_PC
32 when a UBSAN violation occurs. (Exce !! 31 depends on CC_IS_CLANG
33 will report which Sanitizer failed.) !! 32 depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc)
34 determine whether an Oops was caused !! 33 help
35 out the details of a UBSAN violation !! 34 Some versions of clang support either UBSAN or KCOV but not the
36 output less useful for bug reports. !! 35 combination of the two.
37 !! 36 See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
38 config CC_HAS_UBSAN_BOUNDS_STRICT !! 37 in newer releases.
39 def_bool $(cc-option,-fsanitize=bounds <<
40 help <<
41 The -fsanitize=bounds-strict option <<
42 but uses the more strict handling of <<
43 of flexible arrays, which is compara <<
44 -fsanitize=bounds. <<
45 <<
46 config CC_HAS_UBSAN_ARRAY_BOUNDS <<
47 def_bool $(cc-option,-fsanitize=array- <<
48 help <<
49 Under Clang, the -fsanitize=bounds o <<
50 of two more specific options, -fsani <<
51 -fsanitize=local-bounds. However, -f <<
52 only be used when trap mode is enabl <<
53 CONFIG_LOCAL_BOUNDS.) Explicitly che <<
54 so that we can build up the options <<
55 with or without UBSAN_TRAP. <<
56 38
57 config UBSAN_BOUNDS 39 config UBSAN_BOUNDS
58 bool "Perform array index bounds check 40 bool "Perform array index bounds checking"
59 default UBSAN 41 default UBSAN
60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | !! 42 depends on !UBSAN_KCOV_BROKEN
61 help 43 help
62 This option enables detection of dir 44 This option enables detection of directly indexed out of bounds
63 array accesses, where the array size 45 array accesses, where the array size is known at compile time.
64 Note that this does not protect arra 46 Note that this does not protect array overflows via bad calls
65 to the {str,mem}*cpy() family of fun 47 to the {str,mem}*cpy() family of functions (that is addressed
66 by CONFIG_FORTIFY_SOURCE). 48 by CONFIG_FORTIFY_SOURCE).
67 49
68 config UBSAN_BOUNDS_STRICT !! 50 config UBSAN_MISC
69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 51 bool "Enable all other Undefined Behavior sanity checks"
70 help <<
71 GCC's bounds sanitizer. This option <<
72 correct options in Makefile.ubsan. <<
73 <<
74 config UBSAN_ARRAY_BOUNDS <<
75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ <<
76 help <<
77 Clang's array bounds sanitizer. This <<
78 the correct options in Makefile.ubsa <<
79 <<
80 config UBSAN_LOCAL_BOUNDS <<
81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T <<
82 help <<
83 This option enables Clang's -fsaniti <<
84 when an access through a pointer tha <<
85 of a statically-known size, where an <<
86 be known statically) is out-of-bound <<
87 trap-only, it depends on CONFIG_UBSA <<
88 <<
89 config UBSAN_SHIFT <<
90 bool "Perform checking for bit-shift o <<
91 depends on $(cc-option,-fsanitize=shif <<
92 help <<
93 This option enables -fsanitize=shift <<
94 operations that overflow to the left <<
95 for signed types. <<
96 <<
97 config UBSAN_DIV_ZERO <<
98 bool "Perform checking for integer div <<
99 depends on $(cc-option,-fsanitize=inte <<
100 # https://github.com/ClangBuiltLinux/l <<
101 # https://github.com/llvm/llvm-project <<
102 depends on !CC_IS_CLANG <<
103 help <<
104 This option enables -fsanitize=integ <<
105 for integer division by zero. This i <<
106 kernel's existing exception handling <<
107 debugging information under CONFIG_U <<
108 <<
109 config UBSAN_UNREACHABLE <<
110 bool "Perform checking for unreachable <<
111 # objtool already handles unreachable <<
112 # seeing UBSan instrumentation located <<
113 depends on !(OBJTOOL && (STACK_VALIDAT <<
114 depends on $(cc-option,-fsanitize=unre <<
115 help <<
116 This option enables -fsanitize=unrea <<
117 flow reaching an expected-to-be-unre <<
118 <<
119 config UBSAN_SIGNED_WRAP <<
120 bool "Perform checking for signed arit <<
121 default UBSAN 52 default UBSAN
122 depends on !COMPILE_TEST <<
123 # The no_sanitize attribute was introd <<
124 depends on !CC_IS_GCC || GCC_VERSION > <<
125 depends on $(cc-option,-fsanitize=sign <<
126 help <<
127 This option enables -fsanitize=signe <<
128 for wrap-around of any arithmetic op <<
129 This currently performs nearly no in <<
130 kernel's use of -fno-strict-overflow <<
131 arithmetic undefined behavior into w <<
132 sanitizer versions will allow for wr <<
133 exclusively undefined behavior). <<
134 <<
135 config UBSAN_BOOL <<
136 bool "Perform checking for non-boolean <<
137 default UBSAN <<
138 depends on $(cc-option,-fsanitize=bool <<
139 help 53 help
140 This option enables -fsanitize=bool !! 54 This option enables all sanity checks that don't have their
141 loaded that are neither 0 nor 1. !! 55 own Kconfig options. Disable this if you only want to have
142 !! 56 individually selected checks.
143 config UBSAN_ENUM !! 57
144 bool "Perform checking for out of boun !! 58 config UBSAN_SANITIZE_ALL
145 default UBSAN !! 59 bool "Enable instrumentation for the entire kernel"
146 depends on $(cc-option,-fsanitize=enum !! 60 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
>> 61
>> 62 # We build with -Wno-maybe-uninitilzed, but we still want to
>> 63 # use -Wmaybe-uninitilized in allmodconfig builds.
>> 64 # So dependsy bellow used to disable this option in allmodconfig
>> 65 depends on !COMPILE_TEST
>> 66 default y
147 help 67 help
148 This option enables -fsanitize=enum !! 68 This option activates instrumentation for the entire kernel.
149 into an enum that are outside the ra !! 69 If you don't enable this option, you have to explicitly specify
>> 70 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
>> 71 Enabling this option will get kernel image size increased
>> 72 significantly.
150 73
151 config UBSAN_ALIGNMENT 74 config UBSAN_ALIGNMENT
152 bool "Perform checking for misaligned !! 75 bool "Enable checks for pointers alignment"
153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 76 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154 depends on !UBSAN_TRAP && !COMPILE_TES !! 77 depends on !UBSAN_TRAP
155 depends on $(cc-option,-fsanitize=alig <<
156 help 78 help
157 This option enables the check of una 79 This option enables the check of unaligned memory accesses.
158 Enabling this option on architecture 80 Enabling this option on architectures that support unaligned
159 accesses may produce a lot of false 81 accesses may produce a lot of false positives.
160 82
161 config TEST_UBSAN 83 config TEST_UBSAN
162 tristate "Module for testing for undef 84 tristate "Module for testing for undefined behavior detection"
163 depends on m 85 depends on m
164 help 86 help
165 This is a test module for UBSAN. 87 This is a test module for UBSAN.
166 It triggers various undefined behavi 88 It triggers various undefined behavior, and detect it.
167 89
168 endif # if UBSAN 90 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.