1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN !! 2 config ARCH_HAS_UBSAN_SANITIZE_ALL
3 bool 3 bool
4 4
5 menuconfig UBSAN 5 menuconfig UBSAN
6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker"
7 depends on ARCH_HAS_UBSAN <<
8 help 7 help
9 This option enables the Undefined Be 8 This option enables the Undefined Behaviour sanity checker.
10 Compile-time instrumentation is used 9 Compile-time instrumentation is used to detect various undefined
11 behaviours at runtime. For more deta 10 behaviours at runtime. For more details, see:
12 Documentation/dev-tools/ubsan.rst 11 Documentation/dev-tools/ubsan.rst
13 12
14 if UBSAN 13 if UBSAN
15 14
16 config UBSAN_TRAP 15 config UBSAN_TRAP
17 bool "Abort on Sanitizer warnings (sma !! 16 bool "On Sanitizer warnings, abort the running kernel code"
18 depends on !COMPILE_TEST 17 depends on !COMPILE_TEST
>> 18 depends on $(cc-option, -fsanitize-undefined-trap-on-error)
19 help 19 help
20 Building kernels with Sanitizer feat 20 Building kernels with Sanitizer features enabled tends to grow
21 the kernel size by around 5%, due to 21 the kernel size by around 5%, due to adding all the debugging
22 text on failure paths. To avoid this 22 text on failure paths. To avoid this, Sanitizer instrumentation
23 can just issue a trap. This reduces 23 can just issue a trap. This reduces the kernel size overhead but
24 turns all warnings (including potent 24 turns all warnings (including potentially harmless conditions)
25 into full exceptions that abort the 25 into full exceptions that abort the running kernel code
26 (regardless of context, locks held, 26 (regardless of context, locks held, etc), which may destabilize
27 the system. For some system builders 27 the system. For some system builders this is an acceptable
28 trade-off. 28 trade-off.
29 29
30 Also note that selecting Y will caus !! 30 config UBSAN_KCOV_BROKEN
31 with an "illegal instruction" error !! 31 def_bool KCOV && CC_HAS_SANCOV_TRACE_PC
32 when a UBSAN violation occurs. (Exce !! 32 depends on CC_IS_CLANG
33 will report which Sanitizer failed.) !! 33 depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc)
34 determine whether an Oops was caused !! 34 help
35 out the details of a UBSAN violation !! 35 Some versions of clang support either UBSAN or KCOV but not the
36 output less useful for bug reports. !! 36 combination of the two.
37 !! 37 See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
38 config CC_HAS_UBSAN_BOUNDS_STRICT !! 38 in newer releases.
39 def_bool $(cc-option,-fsanitize=bounds !! 39
40 help !! 40 config CC_HAS_UBSAN_BOUNDS
41 The -fsanitize=bounds-strict option !! 41 def_bool $(cc-option,-fsanitize=bounds)
42 but uses the more strict handling of <<
43 of flexible arrays, which is compara <<
44 -fsanitize=bounds. <<
45 42
46 config CC_HAS_UBSAN_ARRAY_BOUNDS 43 config CC_HAS_UBSAN_ARRAY_BOUNDS
47 def_bool $(cc-option,-fsanitize=array- 44 def_bool $(cc-option,-fsanitize=array-bounds)
48 help <<
49 Under Clang, the -fsanitize=bounds o <<
50 of two more specific options, -fsani <<
51 -fsanitize=local-bounds. However, -f <<
52 only be used when trap mode is enabl <<
53 CONFIG_LOCAL_BOUNDS.) Explicitly che <<
54 so that we can build up the options <<
55 with or without UBSAN_TRAP. <<
56 45
57 config UBSAN_BOUNDS 46 config UBSAN_BOUNDS
58 bool "Perform array index bounds check 47 bool "Perform array index bounds checking"
59 default UBSAN 48 default UBSAN
60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | !! 49 depends on !UBSAN_KCOV_BROKEN
>> 50 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
61 help 51 help
62 This option enables detection of dir 52 This option enables detection of directly indexed out of bounds
63 array accesses, where the array size 53 array accesses, where the array size is known at compile time.
64 Note that this does not protect arra 54 Note that this does not protect array overflows via bad calls
65 to the {str,mem}*cpy() family of fun 55 to the {str,mem}*cpy() family of functions (that is addressed
66 by CONFIG_FORTIFY_SOURCE). 56 by CONFIG_FORTIFY_SOURCE).
67 57
68 config UBSAN_BOUNDS_STRICT !! 58 config UBSAN_ONLY_BOUNDS
69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 59 def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
70 help !! 60 depends on UBSAN_BOUNDS
71 GCC's bounds sanitizer. This option !! 61 help
72 correct options in Makefile.ubsan. !! 62 This is a weird case: Clang's -fsanitize=bounds includes
>> 63 -fsanitize=local-bounds, but it's trapping-only, so for
>> 64 Clang, we must use -fsanitize=array-bounds when we want
>> 65 traditional array bounds checking enabled. For GCC, we
>> 66 want -fsanitize=bounds.
73 67
74 config UBSAN_ARRAY_BOUNDS 68 config UBSAN_ARRAY_BOUNDS
75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 69 def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
76 help !! 70 depends on UBSAN_BOUNDS
77 Clang's array bounds sanitizer. This <<
78 the correct options in Makefile.ubsa <<
79 71
80 config UBSAN_LOCAL_BOUNDS 72 config UBSAN_LOCAL_BOUNDS
81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T !! 73 bool "Perform array local bounds checking"
82 help !! 74 depends on UBSAN_TRAP
83 This option enables Clang's -fsaniti !! 75 depends on !UBSAN_KCOV_BROKEN
84 when an access through a pointer tha !! 76 depends on $(cc-option,-fsanitize=local-bounds)
85 of a statically-known size, where an !! 77 help
86 be known statically) is out-of-bound !! 78 This option enables -fsanitize=local-bounds which traps when an
87 trap-only, it depends on CONFIG_UBSA !! 79 exception/error is detected. Therefore, it may only be enabled
>> 80 with CONFIG_UBSAN_TRAP.
>> 81
>> 82 Enabling this option detects errors due to accesses through a
>> 83 pointer that is derived from an object of a statically-known size,
>> 84 where an added offset (which may not be known statically) is
>> 85 out-of-bounds.
88 86
89 config UBSAN_SHIFT 87 config UBSAN_SHIFT
90 bool "Perform checking for bit-shift o 88 bool "Perform checking for bit-shift overflows"
>> 89 default UBSAN
91 depends on $(cc-option,-fsanitize=shif 90 depends on $(cc-option,-fsanitize=shift)
92 help 91 help
93 This option enables -fsanitize=shift 92 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left 93 operations that overflow to the left or go switch to negative
95 for signed types. 94 for signed types.
96 95
97 config UBSAN_DIV_ZERO 96 config UBSAN_DIV_ZERO
98 bool "Perform checking for integer div 97 bool "Perform checking for integer divide-by-zero"
99 depends on $(cc-option,-fsanitize=inte 98 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100 # https://github.com/ClangBuiltLinux/l <<
101 # https://github.com/llvm/llvm-project <<
102 depends on !CC_IS_CLANG <<
103 help 99 help
104 This option enables -fsanitize=integ 100 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This i 101 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling 102 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_U 103 debugging information under CONFIG_UBSAN_REPORT_FULL.
108 104
109 config UBSAN_UNREACHABLE 105 config UBSAN_UNREACHABLE
110 bool "Perform checking for unreachable 106 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable 107 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located 108 # seeing UBSan instrumentation located in unreachable places.
113 depends on !(OBJTOOL && (STACK_VALIDAT !! 109 depends on !STACK_VALIDATION
114 depends on $(cc-option,-fsanitize=unre 110 depends on $(cc-option,-fsanitize=unreachable)
115 help 111 help
116 This option enables -fsanitize=unrea 112 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unre 113 flow reaching an expected-to-be-unreachable position.
118 114
119 config UBSAN_SIGNED_WRAP !! 115 config UBSAN_OBJECT_SIZE
120 bool "Perform checking for signed arit !! 116 bool "Perform checking for accesses beyond the end of objects"
121 default UBSAN 117 default UBSAN
122 depends on !COMPILE_TEST !! 118 # gcc hugely expands stack usage with -fsanitize=object-size
123 # The no_sanitize attribute was introd !! 119 # https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
124 depends on !CC_IS_GCC || GCC_VERSION > !! 120 depends on !CC_IS_GCC
125 depends on $(cc-option,-fsanitize=sign !! 121 depends on $(cc-option,-fsanitize=object-size)
126 help !! 122 help
127 This option enables -fsanitize=signe !! 123 This option enables -fsanitize=object-size which checks for accesses
128 for wrap-around of any arithmetic op !! 124 beyond the end of objects where the optimizer can determine both the
129 This currently performs nearly no in !! 125 object being operated on and its size, usually seen with bad downcasts,
130 kernel's use of -fno-strict-overflow !! 126 or access to struct members from NULL pointers.
131 arithmetic undefined behavior into w <<
132 sanitizer versions will allow for wr <<
133 exclusively undefined behavior). <<
134 127
135 config UBSAN_BOOL 128 config UBSAN_BOOL
136 bool "Perform checking for non-boolean 129 bool "Perform checking for non-boolean values used as boolean"
137 default UBSAN 130 default UBSAN
138 depends on $(cc-option,-fsanitize=bool 131 depends on $(cc-option,-fsanitize=bool)
139 help 132 help
140 This option enables -fsanitize=bool 133 This option enables -fsanitize=bool which checks for boolean values being
141 loaded that are neither 0 nor 1. 134 loaded that are neither 0 nor 1.
142 135
143 config UBSAN_ENUM 136 config UBSAN_ENUM
144 bool "Perform checking for out of boun 137 bool "Perform checking for out of bounds enum values"
145 default UBSAN 138 default UBSAN
146 depends on $(cc-option,-fsanitize=enum 139 depends on $(cc-option,-fsanitize=enum)
147 help 140 help
148 This option enables -fsanitize=enum 141 This option enables -fsanitize=enum which checks for values being loaded
149 into an enum that are outside the ra 142 into an enum that are outside the range of given values for the given enum.
150 143
151 config UBSAN_ALIGNMENT 144 config UBSAN_ALIGNMENT
152 bool "Perform checking for misaligned 145 bool "Perform checking for misaligned pointer usage"
153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 146 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154 depends on !UBSAN_TRAP && !COMPILE_TES 147 depends on !UBSAN_TRAP && !COMPILE_TEST
155 depends on $(cc-option,-fsanitize=alig 148 depends on $(cc-option,-fsanitize=alignment)
156 help 149 help
157 This option enables the check of una 150 This option enables the check of unaligned memory accesses.
158 Enabling this option on architecture 151 Enabling this option on architectures that support unaligned
159 accesses may produce a lot of false 152 accesses may produce a lot of false positives.
>> 153
>> 154 config UBSAN_SANITIZE_ALL
>> 155 bool "Enable instrumentation for the entire kernel"
>> 156 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
>> 157 default y
>> 158 help
>> 159 This option activates instrumentation for the entire kernel.
>> 160 If you don't enable this option, you have to explicitly specify
>> 161 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
>> 162 Enabling this option will get kernel image size increased
>> 163 significantly.
160 164
161 config TEST_UBSAN 165 config TEST_UBSAN
162 tristate "Module for testing for undef 166 tristate "Module for testing for undefined behavior detection"
163 depends on m 167 depends on m
164 help 168 help
165 This is a test module for UBSAN. 169 This is a test module for UBSAN.
166 It triggers various undefined behavi 170 It triggers various undefined behavior, and detect it.
167 171
168 endif # if UBSAN 172 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.