1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN 2 config ARCH_HAS_UBSAN
3 bool 3 bool
4 4
5 menuconfig UBSAN 5 menuconfig UBSAN
6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker"
7 depends on ARCH_HAS_UBSAN 7 depends on ARCH_HAS_UBSAN
8 help 8 help
9 This option enables the Undefined Be 9 This option enables the Undefined Behaviour sanity checker.
10 Compile-time instrumentation is used 10 Compile-time instrumentation is used to detect various undefined
11 behaviours at runtime. For more deta 11 behaviours at runtime. For more details, see:
12 Documentation/dev-tools/ubsan.rst 12 Documentation/dev-tools/ubsan.rst
13 13
14 if UBSAN 14 if UBSAN
15 15
16 config UBSAN_TRAP 16 config UBSAN_TRAP
17 bool "Abort on Sanitizer warnings (sma 17 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
18 depends on !COMPILE_TEST 18 depends on !COMPILE_TEST
19 help 19 help
20 Building kernels with Sanitizer feat 20 Building kernels with Sanitizer features enabled tends to grow
21 the kernel size by around 5%, due to 21 the kernel size by around 5%, due to adding all the debugging
22 text on failure paths. To avoid this 22 text on failure paths. To avoid this, Sanitizer instrumentation
23 can just issue a trap. This reduces 23 can just issue a trap. This reduces the kernel size overhead but
24 turns all warnings (including potent 24 turns all warnings (including potentially harmless conditions)
25 into full exceptions that abort the 25 into full exceptions that abort the running kernel code
26 (regardless of context, locks held, 26 (regardless of context, locks held, etc), which may destabilize
27 the system. For some system builders 27 the system. For some system builders this is an acceptable
28 trade-off. 28 trade-off.
29 29
30 Also note that selecting Y will caus 30 Also note that selecting Y will cause your kernel to Oops
31 with an "illegal instruction" error 31 with an "illegal instruction" error with no further details
32 when a UBSAN violation occurs. (Exce 32 when a UBSAN violation occurs. (Except on arm64 and x86, which
33 will report which Sanitizer failed.) 33 will report which Sanitizer failed.) This may make it hard to
34 determine whether an Oops was caused 34 determine whether an Oops was caused by UBSAN or to figure
35 out the details of a UBSAN violation 35 out the details of a UBSAN violation. It makes the kernel log
36 output less useful for bug reports. 36 output less useful for bug reports.
37 37
38 config CC_HAS_UBSAN_BOUNDS_STRICT 38 config CC_HAS_UBSAN_BOUNDS_STRICT
39 def_bool $(cc-option,-fsanitize=bounds 39 def_bool $(cc-option,-fsanitize=bounds-strict)
40 help 40 help
41 The -fsanitize=bounds-strict option 41 The -fsanitize=bounds-strict option is only available on GCC,
42 but uses the more strict handling of 42 but uses the more strict handling of arrays that includes knowledge
43 of flexible arrays, which is compara 43 of flexible arrays, which is comparable to Clang's regular
44 -fsanitize=bounds. 44 -fsanitize=bounds.
45 45
46 config CC_HAS_UBSAN_ARRAY_BOUNDS 46 config CC_HAS_UBSAN_ARRAY_BOUNDS
47 def_bool $(cc-option,-fsanitize=array- 47 def_bool $(cc-option,-fsanitize=array-bounds)
48 help 48 help
49 Under Clang, the -fsanitize=bounds o 49 Under Clang, the -fsanitize=bounds option is actually composed
50 of two more specific options, -fsani 50 of two more specific options, -fsanitize=array-bounds and
51 -fsanitize=local-bounds. However, -f 51 -fsanitize=local-bounds. However, -fsanitize=local-bounds can
52 only be used when trap mode is enabl 52 only be used when trap mode is enabled. (See also the help for
53 CONFIG_LOCAL_BOUNDS.) Explicitly che 53 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
54 so that we can build up the options 54 so that we can build up the options needed for UBSAN_BOUNDS
55 with or without UBSAN_TRAP. 55 with or without UBSAN_TRAP.
56 56
57 config UBSAN_BOUNDS 57 config UBSAN_BOUNDS
58 bool "Perform array index bounds check 58 bool "Perform array index bounds checking"
59 default UBSAN 59 default UBSAN
60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | 60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
61 help 61 help
62 This option enables detection of dir 62 This option enables detection of directly indexed out of bounds
63 array accesses, where the array size 63 array accesses, where the array size is known at compile time.
64 Note that this does not protect arra 64 Note that this does not protect array overflows via bad calls
65 to the {str,mem}*cpy() family of fun 65 to the {str,mem}*cpy() family of functions (that is addressed
66 by CONFIG_FORTIFY_SOURCE). 66 by CONFIG_FORTIFY_SOURCE).
67 67
68 config UBSAN_BOUNDS_STRICT 68 config UBSAN_BOUNDS_STRICT
69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ 69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
70 help 70 help
71 GCC's bounds sanitizer. This option 71 GCC's bounds sanitizer. This option is used to select the
72 correct options in Makefile.ubsan. 72 correct options in Makefile.ubsan.
73 73
74 config UBSAN_ARRAY_BOUNDS 74 config UBSAN_ARRAY_BOUNDS
75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ 75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
76 help 76 help
77 Clang's array bounds sanitizer. This 77 Clang's array bounds sanitizer. This option is used to select
78 the correct options in Makefile.ubsa 78 the correct options in Makefile.ubsan.
79 79
80 config UBSAN_LOCAL_BOUNDS 80 config UBSAN_LOCAL_BOUNDS
81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T 81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
82 help 82 help
83 This option enables Clang's -fsaniti 83 This option enables Clang's -fsanitize=local-bounds which traps
84 when an access through a pointer tha 84 when an access through a pointer that is derived from an object
85 of a statically-known size, where an 85 of a statically-known size, where an added offset (which may not
86 be known statically) is out-of-bound 86 be known statically) is out-of-bounds. Since this option is
87 trap-only, it depends on CONFIG_UBSA 87 trap-only, it depends on CONFIG_UBSAN_TRAP.
88 88
89 config UBSAN_SHIFT 89 config UBSAN_SHIFT
90 bool "Perform checking for bit-shift o 90 bool "Perform checking for bit-shift overflows"
91 depends on $(cc-option,-fsanitize=shif 91 depends on $(cc-option,-fsanitize=shift)
92 help 92 help
93 This option enables -fsanitize=shift 93 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left 94 operations that overflow to the left or go switch to negative
95 for signed types. 95 for signed types.
96 96
97 config UBSAN_DIV_ZERO 97 config UBSAN_DIV_ZERO
98 bool "Perform checking for integer div 98 bool "Perform checking for integer divide-by-zero"
99 depends on $(cc-option,-fsanitize=inte 99 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100 # https://github.com/ClangBuiltLinux/l 100 # https://github.com/ClangBuiltLinux/linux/issues/1657
101 # https://github.com/llvm/llvm-project 101 # https://github.com/llvm/llvm-project/issues/56289
102 depends on !CC_IS_CLANG 102 depends on !CC_IS_CLANG
103 help 103 help
104 This option enables -fsanitize=integ 104 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This i 105 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling 106 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_U 107 debugging information under CONFIG_UBSAN_REPORT_FULL.
108 108
109 config UBSAN_UNREACHABLE 109 config UBSAN_UNREACHABLE
110 bool "Perform checking for unreachable 110 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable 111 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located 112 # seeing UBSan instrumentation located in unreachable places.
113 depends on !(OBJTOOL && (STACK_VALIDAT 113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114 depends on $(cc-option,-fsanitize=unre 114 depends on $(cc-option,-fsanitize=unreachable)
115 help 115 help
116 This option enables -fsanitize=unrea 116 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unre 117 flow reaching an expected-to-be-unreachable position.
118 118
119 config UBSAN_SIGNED_WRAP 119 config UBSAN_SIGNED_WRAP
120 bool "Perform checking for signed arit 120 bool "Perform checking for signed arithmetic wrap-around"
121 default UBSAN 121 default UBSAN
122 depends on !COMPILE_TEST 122 depends on !COMPILE_TEST
123 # The no_sanitize attribute was introd 123 # The no_sanitize attribute was introduced in GCC with version 8.
124 depends on !CC_IS_GCC || GCC_VERSION > 124 depends on !CC_IS_GCC || GCC_VERSION >= 80000
125 depends on $(cc-option,-fsanitize=sign 125 depends on $(cc-option,-fsanitize=signed-integer-overflow)
126 help 126 help
127 This option enables -fsanitize=signe 127 This option enables -fsanitize=signed-integer-overflow which checks
128 for wrap-around of any arithmetic op 128 for wrap-around of any arithmetic operations with signed integers.
129 This currently performs nearly no in 129 This currently performs nearly no instrumentation due to the
130 kernel's use of -fno-strict-overflow 130 kernel's use of -fno-strict-overflow which converts all would-be
131 arithmetic undefined behavior into w 131 arithmetic undefined behavior into wrap-around arithmetic. Future
132 sanitizer versions will allow for wr 132 sanitizer versions will allow for wrap-around checking (rather than
133 exclusively undefined behavior). 133 exclusively undefined behavior).
134 134
135 config UBSAN_BOOL 135 config UBSAN_BOOL
136 bool "Perform checking for non-boolean 136 bool "Perform checking for non-boolean values used as boolean"
137 default UBSAN 137 default UBSAN
138 depends on $(cc-option,-fsanitize=bool 138 depends on $(cc-option,-fsanitize=bool)
139 help 139 help
140 This option enables -fsanitize=bool 140 This option enables -fsanitize=bool which checks for boolean values being
141 loaded that are neither 0 nor 1. 141 loaded that are neither 0 nor 1.
142 142
143 config UBSAN_ENUM 143 config UBSAN_ENUM
144 bool "Perform checking for out of boun 144 bool "Perform checking for out of bounds enum values"
145 default UBSAN 145 default UBSAN
146 depends on $(cc-option,-fsanitize=enum 146 depends on $(cc-option,-fsanitize=enum)
147 help 147 help
148 This option enables -fsanitize=enum 148 This option enables -fsanitize=enum which checks for values being loaded
149 into an enum that are outside the ra 149 into an enum that are outside the range of given values for the given enum.
150 150
151 config UBSAN_ALIGNMENT 151 config UBSAN_ALIGNMENT
152 bool "Perform checking for misaligned 152 bool "Perform checking for misaligned pointer usage"
153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 153 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154 depends on !UBSAN_TRAP && !COMPILE_TES 154 depends on !UBSAN_TRAP && !COMPILE_TEST
155 depends on $(cc-option,-fsanitize=alig 155 depends on $(cc-option,-fsanitize=alignment)
156 help 156 help
157 This option enables the check of una 157 This option enables the check of unaligned memory accesses.
158 Enabling this option on architecture 158 Enabling this option on architectures that support unaligned
159 accesses may produce a lot of false 159 accesses may produce a lot of false positives.
160 160
161 config TEST_UBSAN 161 config TEST_UBSAN
162 tristate "Module for testing for undef 162 tristate "Module for testing for undefined behavior detection"
163 depends on m 163 depends on m
164 help 164 help
165 This is a test module for UBSAN. 165 This is a test module for UBSAN.
166 It triggers various undefined behavi 166 It triggers various undefined behavior, and detect it.
167 167
168 endif # if UBSAN 168 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.