1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN !! 2 config ARCH_HAS_UBSAN_SANITIZE_ALL
3 bool 3 bool
4 4
5 menuconfig UBSAN 5 menuconfig UBSAN
6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker"
7 depends on ARCH_HAS_UBSAN <<
8 help 7 help
9 This option enables the Undefined Be 8 This option enables the Undefined Behaviour sanity checker.
10 Compile-time instrumentation is used 9 Compile-time instrumentation is used to detect various undefined
11 behaviours at runtime. For more deta 10 behaviours at runtime. For more details, see:
12 Documentation/dev-tools/ubsan.rst 11 Documentation/dev-tools/ubsan.rst
13 12
14 if UBSAN 13 if UBSAN
15 14
16 config UBSAN_TRAP 15 config UBSAN_TRAP
17 bool "Abort on Sanitizer warnings (sma 16 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
18 depends on !COMPILE_TEST 17 depends on !COMPILE_TEST
19 help 18 help
20 Building kernels with Sanitizer feat 19 Building kernels with Sanitizer features enabled tends to grow
21 the kernel size by around 5%, due to 20 the kernel size by around 5%, due to adding all the debugging
22 text on failure paths. To avoid this 21 text on failure paths. To avoid this, Sanitizer instrumentation
23 can just issue a trap. This reduces 22 can just issue a trap. This reduces the kernel size overhead but
24 turns all warnings (including potent 23 turns all warnings (including potentially harmless conditions)
25 into full exceptions that abort the 24 into full exceptions that abort the running kernel code
26 (regardless of context, locks held, 25 (regardless of context, locks held, etc), which may destabilize
27 the system. For some system builders 26 the system. For some system builders this is an acceptable
28 trade-off. 27 trade-off.
29 28
30 Also note that selecting Y will caus 29 Also note that selecting Y will cause your kernel to Oops
31 with an "illegal instruction" error 30 with an "illegal instruction" error with no further details
32 when a UBSAN violation occurs. (Exce !! 31 when a UBSAN violation occurs. (Except on arm64, which will
33 will report which Sanitizer failed.) !! 32 report which Sanitizer failed.) This may make it hard to
34 determine whether an Oops was caused 33 determine whether an Oops was caused by UBSAN or to figure
35 out the details of a UBSAN violation 34 out the details of a UBSAN violation. It makes the kernel log
36 output less useful for bug reports. 35 output less useful for bug reports.
37 36
38 config CC_HAS_UBSAN_BOUNDS_STRICT 37 config CC_HAS_UBSAN_BOUNDS_STRICT
39 def_bool $(cc-option,-fsanitize=bounds 38 def_bool $(cc-option,-fsanitize=bounds-strict)
40 help 39 help
41 The -fsanitize=bounds-strict option 40 The -fsanitize=bounds-strict option is only available on GCC,
42 but uses the more strict handling of 41 but uses the more strict handling of arrays that includes knowledge
43 of flexible arrays, which is compara 42 of flexible arrays, which is comparable to Clang's regular
44 -fsanitize=bounds. 43 -fsanitize=bounds.
45 44
46 config CC_HAS_UBSAN_ARRAY_BOUNDS 45 config CC_HAS_UBSAN_ARRAY_BOUNDS
47 def_bool $(cc-option,-fsanitize=array- 46 def_bool $(cc-option,-fsanitize=array-bounds)
48 help 47 help
49 Under Clang, the -fsanitize=bounds o 48 Under Clang, the -fsanitize=bounds option is actually composed
50 of two more specific options, -fsani 49 of two more specific options, -fsanitize=array-bounds and
51 -fsanitize=local-bounds. However, -f 50 -fsanitize=local-bounds. However, -fsanitize=local-bounds can
52 only be used when trap mode is enabl 51 only be used when trap mode is enabled. (See also the help for
53 CONFIG_LOCAL_BOUNDS.) Explicitly che 52 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
54 so that we can build up the options 53 so that we can build up the options needed for UBSAN_BOUNDS
55 with or without UBSAN_TRAP. 54 with or without UBSAN_TRAP.
56 55
57 config UBSAN_BOUNDS 56 config UBSAN_BOUNDS
58 bool "Perform array index bounds check 57 bool "Perform array index bounds checking"
59 default UBSAN 58 default UBSAN
60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | 59 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
61 help 60 help
62 This option enables detection of dir 61 This option enables detection of directly indexed out of bounds
63 array accesses, where the array size 62 array accesses, where the array size is known at compile time.
64 Note that this does not protect arra 63 Note that this does not protect array overflows via bad calls
65 to the {str,mem}*cpy() family of fun 64 to the {str,mem}*cpy() family of functions (that is addressed
66 by CONFIG_FORTIFY_SOURCE). 65 by CONFIG_FORTIFY_SOURCE).
67 66
68 config UBSAN_BOUNDS_STRICT 67 config UBSAN_BOUNDS_STRICT
69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ 68 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
70 help 69 help
71 GCC's bounds sanitizer. This option 70 GCC's bounds sanitizer. This option is used to select the
72 correct options in Makefile.ubsan. 71 correct options in Makefile.ubsan.
73 72
74 config UBSAN_ARRAY_BOUNDS 73 config UBSAN_ARRAY_BOUNDS
75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ 74 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
76 help 75 help
77 Clang's array bounds sanitizer. This 76 Clang's array bounds sanitizer. This option is used to select
78 the correct options in Makefile.ubsa 77 the correct options in Makefile.ubsan.
79 78
80 config UBSAN_LOCAL_BOUNDS 79 config UBSAN_LOCAL_BOUNDS
81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T 80 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
82 help 81 help
83 This option enables Clang's -fsaniti 82 This option enables Clang's -fsanitize=local-bounds which traps
84 when an access through a pointer tha 83 when an access through a pointer that is derived from an object
85 of a statically-known size, where an 84 of a statically-known size, where an added offset (which may not
86 be known statically) is out-of-bound 85 be known statically) is out-of-bounds. Since this option is
87 trap-only, it depends on CONFIG_UBSA 86 trap-only, it depends on CONFIG_UBSAN_TRAP.
88 87
89 config UBSAN_SHIFT 88 config UBSAN_SHIFT
90 bool "Perform checking for bit-shift o 89 bool "Perform checking for bit-shift overflows"
>> 90 default UBSAN
91 depends on $(cc-option,-fsanitize=shif 91 depends on $(cc-option,-fsanitize=shift)
92 help 92 help
93 This option enables -fsanitize=shift 93 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left 94 operations that overflow to the left or go switch to negative
95 for signed types. 95 for signed types.
96 96
97 config UBSAN_DIV_ZERO 97 config UBSAN_DIV_ZERO
98 bool "Perform checking for integer div 98 bool "Perform checking for integer divide-by-zero"
99 depends on $(cc-option,-fsanitize=inte 99 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100 # https://github.com/ClangBuiltLinux/l 100 # https://github.com/ClangBuiltLinux/linux/issues/1657
101 # https://github.com/llvm/llvm-project 101 # https://github.com/llvm/llvm-project/issues/56289
102 depends on !CC_IS_CLANG 102 depends on !CC_IS_CLANG
103 help 103 help
104 This option enables -fsanitize=integ 104 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This i 105 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling 106 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_U 107 debugging information under CONFIG_UBSAN_REPORT_FULL.
108 108
109 config UBSAN_UNREACHABLE 109 config UBSAN_UNREACHABLE
110 bool "Perform checking for unreachable 110 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable 111 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located 112 # seeing UBSan instrumentation located in unreachable places.
113 depends on !(OBJTOOL && (STACK_VALIDAT 113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114 depends on $(cc-option,-fsanitize=unre 114 depends on $(cc-option,-fsanitize=unreachable)
115 help 115 help
116 This option enables -fsanitize=unrea 116 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unre 117 flow reaching an expected-to-be-unreachable position.
118 118
119 config UBSAN_SIGNED_WRAP <<
120 bool "Perform checking for signed arit <<
121 default UBSAN <<
122 depends on !COMPILE_TEST <<
123 # The no_sanitize attribute was introd <<
124 depends on !CC_IS_GCC || GCC_VERSION > <<
125 depends on $(cc-option,-fsanitize=sign <<
126 help <<
127 This option enables -fsanitize=signe <<
128 for wrap-around of any arithmetic op <<
129 This currently performs nearly no in <<
130 kernel's use of -fno-strict-overflow <<
131 arithmetic undefined behavior into w <<
132 sanitizer versions will allow for wr <<
133 exclusively undefined behavior). <<
134 <<
135 config UBSAN_BOOL 119 config UBSAN_BOOL
136 bool "Perform checking for non-boolean 120 bool "Perform checking for non-boolean values used as boolean"
137 default UBSAN 121 default UBSAN
138 depends on $(cc-option,-fsanitize=bool 122 depends on $(cc-option,-fsanitize=bool)
139 help 123 help
140 This option enables -fsanitize=bool 124 This option enables -fsanitize=bool which checks for boolean values being
141 loaded that are neither 0 nor 1. 125 loaded that are neither 0 nor 1.
142 126
143 config UBSAN_ENUM 127 config UBSAN_ENUM
144 bool "Perform checking for out of boun 128 bool "Perform checking for out of bounds enum values"
145 default UBSAN 129 default UBSAN
146 depends on $(cc-option,-fsanitize=enum 130 depends on $(cc-option,-fsanitize=enum)
147 help 131 help
148 This option enables -fsanitize=enum 132 This option enables -fsanitize=enum which checks for values being loaded
149 into an enum that are outside the ra 133 into an enum that are outside the range of given values for the given enum.
150 134
151 config UBSAN_ALIGNMENT 135 config UBSAN_ALIGNMENT
152 bool "Perform checking for misaligned 136 bool "Perform checking for misaligned pointer usage"
153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 137 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154 depends on !UBSAN_TRAP && !COMPILE_TES 138 depends on !UBSAN_TRAP && !COMPILE_TEST
155 depends on $(cc-option,-fsanitize=alig 139 depends on $(cc-option,-fsanitize=alignment)
156 help 140 help
157 This option enables the check of una 141 This option enables the check of unaligned memory accesses.
158 Enabling this option on architecture 142 Enabling this option on architectures that support unaligned
159 accesses may produce a lot of false 143 accesses may produce a lot of false positives.
>> 144
>> 145 config UBSAN_SANITIZE_ALL
>> 146 bool "Enable instrumentation for the entire kernel"
>> 147 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
>> 148 default y
>> 149 help
>> 150 This option activates instrumentation for the entire kernel.
>> 151 If you don't enable this option, you have to explicitly specify
>> 152 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
>> 153 Enabling this option will get kernel image size increased
>> 154 significantly.
160 155
161 config TEST_UBSAN 156 config TEST_UBSAN
162 tristate "Module for testing for undef 157 tristate "Module for testing for undefined behavior detection"
163 depends on m 158 depends on m
164 help 159 help
165 This is a test module for UBSAN. 160 This is a test module for UBSAN.
166 It triggers various undefined behavi 161 It triggers various undefined behavior, and detect it.
167 162
168 endif # if UBSAN 163 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.