1 # SPDX-License-Identifier: GPL-2.0-only 2 config ARCH_HAS_UBSAN 3 bool 4 5 menuconfig UBSAN 6 bool "Undefined behaviour sanity checker" 7 depends on ARCH_HAS_UBSAN 8 help 9 This option enables the Undefined Behaviour sanity checker. 10 Compile-time instrumentation is used to detect various undefined 11 behaviours at runtime. For more details, see: 12 Documentation/dev-tools/ubsan.rst 13 14 if UBSAN 15 16 config UBSAN_TRAP 17 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)" 18 depends on !COMPILE_TEST 19 help 20 Building kernels with Sanitizer features enabled tends to grow 21 the kernel size by around 5%, due to adding all the debugging 22 text on failure paths. To avoid this, Sanitizer instrumentation 23 can just issue a trap. This reduces the kernel size overhead but 24 turns all warnings (including potentially harmless conditions) 25 into full exceptions that abort the running kernel code 26 (regardless of context, locks held, etc), which may destabilize 27 the system. For some system builders this is an acceptable 28 trade-off. 29 30 Also note that selecting Y will cause your kernel to Oops 31 with an "illegal instruction" error with no further details 32 when a UBSAN violation occurs. (Except on arm64, which will 33 report which Sanitizer failed.) This may make it hard to 34 determine whether an Oops was caused by UBSAN or to figure 35 out the details of a UBSAN violation. It makes the kernel log 36 output less useful for bug reports. 37 38 config CC_HAS_UBSAN_BOUNDS_STRICT 39 def_bool $(cc-option,-fsanitize=bounds-strict) 40 help 41 The -fsanitize=bounds-strict option is only available on GCC, 42 but uses the more strict handling of arrays that includes knowledge 43 of flexible arrays, which is comparable to Clang's regular 44 -fsanitize=bounds. 45 46 config CC_HAS_UBSAN_ARRAY_BOUNDS 47 def_bool $(cc-option,-fsanitize=array-bounds) 48 help 49 Under Clang, the -fsanitize=bounds option is actually composed 50 of two more specific options, -fsanitize=array-bounds and 51 -fsanitize=local-bounds. However, -fsanitize=local-bounds can 52 only be used when trap mode is enabled. (See also the help for 53 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds 54 so that we can build up the options needed for UBSAN_BOUNDS 55 with or without UBSAN_TRAP. 56 57 config UBSAN_BOUNDS 58 bool "Perform array index bounds checking" 59 default UBSAN 60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT 61 help 62 This option enables detection of directly indexed out of bounds 63 array accesses, where the array size is known at compile time. 64 Note that this does not protect array overflows via bad calls 65 to the {str,mem}*cpy() family of functions (that is addressed 66 by CONFIG_FORTIFY_SOURCE). 67 68 config UBSAN_BOUNDS_STRICT 69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT 70 help 71 GCC's bounds sanitizer. This option is used to select the 72 correct options in Makefile.ubsan. 73 74 config UBSAN_ARRAY_BOUNDS 75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS 76 help 77 Clang's array bounds sanitizer. This option is used to select 78 the correct options in Makefile.ubsan. 79 80 config UBSAN_LOCAL_BOUNDS 81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP 82 help 83 This option enables Clang's -fsanitize=local-bounds which traps 84 when an access through a pointer that is derived from an object 85 of a statically-known size, where an added offset (which may not 86 be known statically) is out-of-bounds. Since this option is 87 trap-only, it depends on CONFIG_UBSAN_TRAP. 88 89 config UBSAN_SHIFT 90 bool "Perform checking for bit-shift overflows" 91 depends on $(cc-option,-fsanitize=shift) 92 help 93 This option enables -fsanitize=shift which checks for bit-shift 94 operations that overflow to the left or go switch to negative 95 for signed types. 96 97 config UBSAN_DIV_ZERO 98 bool "Perform checking for integer divide-by-zero" 99 depends on $(cc-option,-fsanitize=integer-divide-by-zero) 100 # https://github.com/ClangBuiltLinux/linux/issues/1657 101 # https://github.com/llvm/llvm-project/issues/56289 102 depends on !CC_IS_CLANG 103 help 104 This option enables -fsanitize=integer-divide-by-zero which checks 105 for integer division by zero. This is effectively redundant with the 106 kernel's existing exception handling, though it can provide greater 107 debugging information under CONFIG_UBSAN_REPORT_FULL. 108 109 config UBSAN_UNREACHABLE 110 bool "Perform checking for unreachable code" 111 # objtool already handles unreachable checking and gets angry about 112 # seeing UBSan instrumentation located in unreachable places. 113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) 114 depends on $(cc-option,-fsanitize=unreachable) 115 help 116 This option enables -fsanitize=unreachable which checks for control 117 flow reaching an expected-to-be-unreachable position. 118 119 config UBSAN_SIGNED_WRAP 120 bool "Perform checking for signed arithmetic wrap-around" 121 default UBSAN 122 depends on !COMPILE_TEST 123 # The no_sanitize attribute was introduced in GCC with version 8. 124 depends on !CC_IS_GCC || GCC_VERSION >= 80000 125 depends on $(cc-option,-fsanitize=signed-integer-overflow) 126 help 127 This option enables -fsanitize=signed-integer-overflow which checks 128 for wrap-around of any arithmetic operations with signed integers. 129 This currently performs nearly no instrumentation due to the 130 kernel's use of -fno-strict-overflow which converts all would-be 131 arithmetic undefined behavior into wrap-around arithmetic. Future 132 sanitizer versions will allow for wrap-around checking (rather than 133 exclusively undefined behavior). 134 135 config UBSAN_BOOL 136 bool "Perform checking for non-boolean values used as boolean" 137 default UBSAN 138 depends on $(cc-option,-fsanitize=bool) 139 help 140 This option enables -fsanitize=bool which checks for boolean values being 141 loaded that are neither 0 nor 1. 142 143 config UBSAN_ENUM 144 bool "Perform checking for out of bounds enum values" 145 default UBSAN 146 depends on $(cc-option,-fsanitize=enum) 147 help 148 This option enables -fsanitize=enum which checks for values being loaded 149 into an enum that are outside the range of given values for the given enum. 150 151 config UBSAN_ALIGNMENT 152 bool "Perform checking for misaligned pointer usage" 153 default !HAVE_EFFICIENT_UNALIGNED_ACCESS 154 depends on !UBSAN_TRAP && !COMPILE_TEST 155 depends on $(cc-option,-fsanitize=alignment) 156 help 157 This option enables the check of unaligned memory accesses. 158 Enabling this option on architectures that support unaligned 159 accesses may produce a lot of false positives. 160 161 config TEST_UBSAN 162 tristate "Module for testing for undefined behavior detection" 163 depends on m 164 help 165 This is a test module for UBSAN. 166 It triggers various undefined behavior, and detect it. 167 168 endif # if UBSAN
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.