1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN !! 2 config ARCH_HAS_UBSAN_SANITIZE_ALL
3 bool 3 bool
4 4
5 menuconfig UBSAN 5 menuconfig UBSAN
6 bool "Undefined behaviour sanity check 6 bool "Undefined behaviour sanity checker"
7 depends on ARCH_HAS_UBSAN <<
8 help 7 help
9 This option enables the Undefined Be 8 This option enables the Undefined Behaviour sanity checker.
10 Compile-time instrumentation is used 9 Compile-time instrumentation is used to detect various undefined
11 behaviours at runtime. For more deta 10 behaviours at runtime. For more details, see:
12 Documentation/dev-tools/ubsan.rst 11 Documentation/dev-tools/ubsan.rst
13 12
14 if UBSAN 13 if UBSAN
15 14
16 config UBSAN_TRAP 15 config UBSAN_TRAP
17 bool "Abort on Sanitizer warnings (sma !! 16 bool "On Sanitizer warnings, abort the running kernel code"
18 depends on !COMPILE_TEST 17 depends on !COMPILE_TEST
>> 18 depends on $(cc-option, -fsanitize-undefined-trap-on-error)
19 help 19 help
20 Building kernels with Sanitizer feat 20 Building kernels with Sanitizer features enabled tends to grow
21 the kernel size by around 5%, due to 21 the kernel size by around 5%, due to adding all the debugging
22 text on failure paths. To avoid this 22 text on failure paths. To avoid this, Sanitizer instrumentation
23 can just issue a trap. This reduces 23 can just issue a trap. This reduces the kernel size overhead but
24 turns all warnings (including potent 24 turns all warnings (including potentially harmless conditions)
25 into full exceptions that abort the 25 into full exceptions that abort the running kernel code
26 (regardless of context, locks held, 26 (regardless of context, locks held, etc), which may destabilize
27 the system. For some system builders 27 the system. For some system builders this is an acceptable
28 trade-off. 28 trade-off.
29 29
30 Also note that selecting Y will caus !! 30 config CC_HAS_UBSAN_BOUNDS
31 with an "illegal instruction" error !! 31 def_bool $(cc-option,-fsanitize=bounds)
32 when a UBSAN violation occurs. (Exce <<
33 will report which Sanitizer failed.) <<
34 determine whether an Oops was caused <<
35 out the details of a UBSAN violation <<
36 output less useful for bug reports. <<
37 <<
38 config CC_HAS_UBSAN_BOUNDS_STRICT <<
39 def_bool $(cc-option,-fsanitize=bounds <<
40 help <<
41 The -fsanitize=bounds-strict option <<
42 but uses the more strict handling of <<
43 of flexible arrays, which is compara <<
44 -fsanitize=bounds. <<
45 32
46 config CC_HAS_UBSAN_ARRAY_BOUNDS 33 config CC_HAS_UBSAN_ARRAY_BOUNDS
47 def_bool $(cc-option,-fsanitize=array- 34 def_bool $(cc-option,-fsanitize=array-bounds)
48 help <<
49 Under Clang, the -fsanitize=bounds o <<
50 of two more specific options, -fsani <<
51 -fsanitize=local-bounds. However, -f <<
52 only be used when trap mode is enabl <<
53 CONFIG_LOCAL_BOUNDS.) Explicitly che <<
54 so that we can build up the options <<
55 with or without UBSAN_TRAP. <<
56 35
57 config UBSAN_BOUNDS 36 config UBSAN_BOUNDS
58 bool "Perform array index bounds check 37 bool "Perform array index bounds checking"
59 default UBSAN 38 default UBSAN
60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS | !! 39 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
61 help 40 help
62 This option enables detection of dir 41 This option enables detection of directly indexed out of bounds
63 array accesses, where the array size 42 array accesses, where the array size is known at compile time.
64 Note that this does not protect arra 43 Note that this does not protect array overflows via bad calls
65 to the {str,mem}*cpy() family of fun 44 to the {str,mem}*cpy() family of functions (that is addressed
66 by CONFIG_FORTIFY_SOURCE). 45 by CONFIG_FORTIFY_SOURCE).
67 46
68 config UBSAN_BOUNDS_STRICT !! 47 config UBSAN_ONLY_BOUNDS
69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 48 def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
70 help !! 49 depends on UBSAN_BOUNDS
71 GCC's bounds sanitizer. This option !! 50 help
72 correct options in Makefile.ubsan. !! 51 This is a weird case: Clang's -fsanitize=bounds includes
>> 52 -fsanitize=local-bounds, but it's trapping-only, so for
>> 53 Clang, we must use -fsanitize=array-bounds when we want
>> 54 traditional array bounds checking enabled. For GCC, we
>> 55 want -fsanitize=bounds.
73 56
74 config UBSAN_ARRAY_BOUNDS 57 config UBSAN_ARRAY_BOUNDS
75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ !! 58 def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
76 help !! 59 depends on UBSAN_BOUNDS
77 Clang's array bounds sanitizer. This <<
78 the correct options in Makefile.ubsa <<
79 60
80 config UBSAN_LOCAL_BOUNDS 61 config UBSAN_LOCAL_BOUNDS
81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_T !! 62 bool "Perform array local bounds checking"
82 help !! 63 depends on UBSAN_TRAP
83 This option enables Clang's -fsaniti !! 64 depends on $(cc-option,-fsanitize=local-bounds)
84 when an access through a pointer tha !! 65 help
85 of a statically-known size, where an !! 66 This option enables -fsanitize=local-bounds which traps when an
86 be known statically) is out-of-bound !! 67 exception/error is detected. Therefore, it may only be enabled
87 trap-only, it depends on CONFIG_UBSA !! 68 with CONFIG_UBSAN_TRAP.
>> 69
>> 70 Enabling this option detects errors due to accesses through a
>> 71 pointer that is derived from an object of a statically-known size,
>> 72 where an added offset (which may not be known statically) is
>> 73 out-of-bounds.
88 74
89 config UBSAN_SHIFT 75 config UBSAN_SHIFT
90 bool "Perform checking for bit-shift o 76 bool "Perform checking for bit-shift overflows"
>> 77 default UBSAN
91 depends on $(cc-option,-fsanitize=shif 78 depends on $(cc-option,-fsanitize=shift)
92 help 79 help
93 This option enables -fsanitize=shift 80 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left 81 operations that overflow to the left or go switch to negative
95 for signed types. 82 for signed types.
96 83
97 config UBSAN_DIV_ZERO 84 config UBSAN_DIV_ZERO
98 bool "Perform checking for integer div 85 bool "Perform checking for integer divide-by-zero"
99 depends on $(cc-option,-fsanitize=inte 86 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100 # https://github.com/ClangBuiltLinux/l 87 # https://github.com/ClangBuiltLinux/linux/issues/1657
101 # https://github.com/llvm/llvm-project 88 # https://github.com/llvm/llvm-project/issues/56289
102 depends on !CC_IS_CLANG 89 depends on !CC_IS_CLANG
103 help 90 help
104 This option enables -fsanitize=integ 91 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This i 92 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling 93 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_U 94 debugging information under CONFIG_UBSAN_REPORT_FULL.
108 95
109 config UBSAN_UNREACHABLE 96 config UBSAN_UNREACHABLE
110 bool "Perform checking for unreachable 97 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable 98 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located 99 # seeing UBSan instrumentation located in unreachable places.
113 depends on !(OBJTOOL && (STACK_VALIDAT 100 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114 depends on $(cc-option,-fsanitize=unre 101 depends on $(cc-option,-fsanitize=unreachable)
115 help 102 help
116 This option enables -fsanitize=unrea 103 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unre 104 flow reaching an expected-to-be-unreachable position.
118 105
119 config UBSAN_SIGNED_WRAP <<
120 bool "Perform checking for signed arit <<
121 default UBSAN <<
122 depends on !COMPILE_TEST <<
123 # The no_sanitize attribute was introd <<
124 depends on !CC_IS_GCC || GCC_VERSION > <<
125 depends on $(cc-option,-fsanitize=sign <<
126 help <<
127 This option enables -fsanitize=signe <<
128 for wrap-around of any arithmetic op <<
129 This currently performs nearly no in <<
130 kernel's use of -fno-strict-overflow <<
131 arithmetic undefined behavior into w <<
132 sanitizer versions will allow for wr <<
133 exclusively undefined behavior). <<
134 <<
135 config UBSAN_BOOL 106 config UBSAN_BOOL
136 bool "Perform checking for non-boolean 107 bool "Perform checking for non-boolean values used as boolean"
137 default UBSAN 108 default UBSAN
138 depends on $(cc-option,-fsanitize=bool 109 depends on $(cc-option,-fsanitize=bool)
139 help 110 help
140 This option enables -fsanitize=bool 111 This option enables -fsanitize=bool which checks for boolean values being
141 loaded that are neither 0 nor 1. 112 loaded that are neither 0 nor 1.
142 113
143 config UBSAN_ENUM 114 config UBSAN_ENUM
144 bool "Perform checking for out of boun 115 bool "Perform checking for out of bounds enum values"
145 default UBSAN 116 default UBSAN
146 depends on $(cc-option,-fsanitize=enum 117 depends on $(cc-option,-fsanitize=enum)
147 help 118 help
148 This option enables -fsanitize=enum 119 This option enables -fsanitize=enum which checks for values being loaded
149 into an enum that are outside the ra 120 into an enum that are outside the range of given values for the given enum.
150 121
151 config UBSAN_ALIGNMENT 122 config UBSAN_ALIGNMENT
152 bool "Perform checking for misaligned 123 bool "Perform checking for misaligned pointer usage"
153 default !HAVE_EFFICIENT_UNALIGNED_ACCE 124 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154 depends on !UBSAN_TRAP && !COMPILE_TES 125 depends on !UBSAN_TRAP && !COMPILE_TEST
155 depends on $(cc-option,-fsanitize=alig 126 depends on $(cc-option,-fsanitize=alignment)
156 help 127 help
157 This option enables the check of una 128 This option enables the check of unaligned memory accesses.
158 Enabling this option on architecture 129 Enabling this option on architectures that support unaligned
159 accesses may produce a lot of false 130 accesses may produce a lot of false positives.
>> 131
>> 132 config UBSAN_SANITIZE_ALL
>> 133 bool "Enable instrumentation for the entire kernel"
>> 134 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
>> 135 default y
>> 136 help
>> 137 This option activates instrumentation for the entire kernel.
>> 138 If you don't enable this option, you have to explicitly specify
>> 139 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
>> 140 Enabling this option will get kernel image size increased
>> 141 significantly.
160 142
161 config TEST_UBSAN 143 config TEST_UBSAN
162 tristate "Module for testing for undef 144 tristate "Module for testing for undefined behavior detection"
163 depends on m 145 depends on m
164 help 146 help
165 This is a test module for UBSAN. 147 This is a test module for UBSAN.
166 It triggers various undefined behavi 148 It triggers various undefined behavior, and detect it.
167 149
168 endif # if UBSAN 150 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.