~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/lib/Kconfig.ubsan

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 # SPDX-License-Identifier: GPL-2.0-only
  2 config ARCH_HAS_UBSAN
  3         bool
  4 
  5 menuconfig UBSAN
  6         bool "Undefined behaviour sanity checker"
  7         depends on ARCH_HAS_UBSAN
  8         help
  9           This option enables the Undefined Behaviour sanity checker.
 10           Compile-time instrumentation is used to detect various undefined
 11           behaviours at runtime. For more details, see:
 12           Documentation/dev-tools/ubsan.rst
 13 
 14 if UBSAN
 15 
 16 config UBSAN_TRAP
 17         bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
 18         depends on !COMPILE_TEST
 19         help
 20           Building kernels with Sanitizer features enabled tends to grow
 21           the kernel size by around 5%, due to adding all the debugging
 22           text on failure paths. To avoid this, Sanitizer instrumentation
 23           can just issue a trap. This reduces the kernel size overhead but
 24           turns all warnings (including potentially harmless conditions)
 25           into full exceptions that abort the running kernel code
 26           (regardless of context, locks held, etc), which may destabilize
 27           the system. For some system builders this is an acceptable
 28           trade-off.
 29 
 30           Also note that selecting Y will cause your kernel to Oops
 31           with an "illegal instruction" error with no further details
 32           when a UBSAN violation occurs. (Except on arm64, which will
 33           report which Sanitizer failed.) This may make it hard to
 34           determine whether an Oops was caused by UBSAN or to figure
 35           out the details of a UBSAN violation. It makes the kernel log
 36           output less useful for bug reports.
 37 
 38 config CC_HAS_UBSAN_BOUNDS_STRICT
 39         def_bool $(cc-option,-fsanitize=bounds-strict)
 40         help
 41           The -fsanitize=bounds-strict option is only available on GCC,
 42           but uses the more strict handling of arrays that includes knowledge
 43           of flexible arrays, which is comparable to Clang's regular
 44           -fsanitize=bounds.
 45 
 46 config CC_HAS_UBSAN_ARRAY_BOUNDS
 47         def_bool $(cc-option,-fsanitize=array-bounds)
 48         help
 49           Under Clang, the -fsanitize=bounds option is actually composed
 50           of two more specific options, -fsanitize=array-bounds and
 51           -fsanitize=local-bounds. However, -fsanitize=local-bounds can
 52           only be used when trap mode is enabled. (See also the help for
 53           CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
 54           so that we can build up the options needed for UBSAN_BOUNDS
 55           with or without UBSAN_TRAP.
 56 
 57 config UBSAN_BOUNDS
 58         bool "Perform array index bounds checking"
 59         default UBSAN
 60         depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
 61         help
 62           This option enables detection of directly indexed out of bounds
 63           array accesses, where the array size is known at compile time.
 64           Note that this does not protect array overflows via bad calls
 65           to the {str,mem}*cpy() family of functions (that is addressed
 66           by CONFIG_FORTIFY_SOURCE).
 67 
 68 config UBSAN_BOUNDS_STRICT
 69         def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
 70         help
 71           GCC's bounds sanitizer. This option is used to select the
 72           correct options in Makefile.ubsan.
 73 
 74 config UBSAN_ARRAY_BOUNDS
 75         def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
 76         help
 77           Clang's array bounds sanitizer. This option is used to select
 78           the correct options in Makefile.ubsan.
 79 
 80 config UBSAN_LOCAL_BOUNDS
 81         def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
 82         help
 83           This option enables Clang's -fsanitize=local-bounds which traps
 84           when an access through a pointer that is derived from an object
 85           of a statically-known size, where an added offset (which may not
 86           be known statically) is out-of-bounds. Since this option is
 87           trap-only, it depends on CONFIG_UBSAN_TRAP.
 88 
 89 config UBSAN_SHIFT
 90         bool "Perform checking for bit-shift overflows"
 91         depends on $(cc-option,-fsanitize=shift)
 92         help
 93           This option enables -fsanitize=shift which checks for bit-shift
 94           operations that overflow to the left or go switch to negative
 95           for signed types.
 96 
 97 config UBSAN_DIV_ZERO
 98         bool "Perform checking for integer divide-by-zero"
 99         depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100         # https://github.com/ClangBuiltLinux/linux/issues/1657
101         # https://github.com/llvm/llvm-project/issues/56289
102         depends on !CC_IS_CLANG
103         help
104           This option enables -fsanitize=integer-divide-by-zero which checks
105           for integer division by zero. This is effectively redundant with the
106           kernel's existing exception handling, though it can provide greater
107           debugging information under CONFIG_UBSAN_REPORT_FULL.
108 
109 config UBSAN_UNREACHABLE
110         bool "Perform checking for unreachable code"
111         # objtool already handles unreachable checking and gets angry about
112         # seeing UBSan instrumentation located in unreachable places.
113         depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114         depends on $(cc-option,-fsanitize=unreachable)
115         help
116           This option enables -fsanitize=unreachable which checks for control
117           flow reaching an expected-to-be-unreachable position.
118 
119 config UBSAN_SIGNED_WRAP
120         bool "Perform checking for signed arithmetic wrap-around"
121         default UBSAN
122         depends on !COMPILE_TEST
123         # The no_sanitize attribute was introduced in GCC with version 8.
124         depends on !CC_IS_GCC || GCC_VERSION >= 80000
125         depends on $(cc-option,-fsanitize=signed-integer-overflow)
126         help
127           This option enables -fsanitize=signed-integer-overflow which checks
128           for wrap-around of any arithmetic operations with signed integers.
129           This currently performs nearly no instrumentation due to the
130           kernel's use of -fno-strict-overflow which converts all would-be
131           arithmetic undefined behavior into wrap-around arithmetic. Future
132           sanitizer versions will allow for wrap-around checking (rather than
133           exclusively undefined behavior).
134 
135 config UBSAN_BOOL
136         bool "Perform checking for non-boolean values used as boolean"
137         default UBSAN
138         depends on $(cc-option,-fsanitize=bool)
139         help
140           This option enables -fsanitize=bool which checks for boolean values being
141           loaded that are neither 0 nor 1.
142 
143 config UBSAN_ENUM
144         bool "Perform checking for out of bounds enum values"
145         default UBSAN
146         depends on $(cc-option,-fsanitize=enum)
147         help
148           This option enables -fsanitize=enum which checks for values being loaded
149           into an enum that are outside the range of given values for the given enum.
150 
151 config UBSAN_ALIGNMENT
152         bool "Perform checking for misaligned pointer usage"
153         default !HAVE_EFFICIENT_UNALIGNED_ACCESS
154         depends on !UBSAN_TRAP && !COMPILE_TEST
155         depends on $(cc-option,-fsanitize=alignment)
156         help
157           This option enables the check of unaligned memory accesses.
158           Enabling this option on architectures that support unaligned
159           accesses may produce a lot of false positives.
160 
161 config TEST_UBSAN
162         tristate "Module for testing for undefined behavior detection"
163         depends on m
164         help
165           This is a test module for UBSAN.
166           It triggers various undefined behavior, and detect it.
167 
168 endif   # if UBSAN

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php