557f8c582a
In order to mitigate unexpected signed wrap-around[1], bring back the
signed integer overflow sanitizer. It was removed in commit 6aaa31aeb9
("ubsan: remove overflow checks") because it was effectively a no-op
when combined with -fno-strict-overflow (which correctly changes signed
overflow from being "undefined" to being explicitly "wrap around").
Compilers are adjusting their sanitizers to trap wrap-around and to
detecting common code patterns that should not be instrumented
(e.g. "var + offset < var"). Prepare for this and explicitly rename
the option from "OVERFLOW" to "WRAP" to more accurately describe the
behavior.
To annotate intentional wrap-around arithmetic, the helpers
wrapping_add/sub/mul_wrap() can be used for individual statements. At
the function level, the __signed_wrap attribute can be used to mark an
entire function as expecting its signed arithmetic to wrap around. For a
single object file the Makefile can use "UBSAN_SIGNED_WRAP_target.o := n"
to mark it as wrapping, and for an entire directory, "UBSAN_SIGNED_WRAP :=
n" can be used.
Additionally keep these disabled under CONFIG_COMPILE_TEST for now.
Link: https://github.com/KSPP/linux/issues/26 [1]
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Hao Luo <haoluo@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Reviewed-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
143 lines
3.4 KiB
C
143 lines
3.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _LIB_UBSAN_H
|
|
#define _LIB_UBSAN_H
|
|
|
|
/*
|
|
* ABI defined by Clang's UBSAN enum SanitizerHandler:
|
|
* https://github.com/llvm/llvm-project/blob/release/16.x/clang/lib/CodeGen/CodeGenFunction.h#L113
|
|
*/
|
|
enum ubsan_checks {
|
|
ubsan_add_overflow,
|
|
ubsan_builtin_unreachable,
|
|
ubsan_cfi_check_fail,
|
|
ubsan_divrem_overflow,
|
|
ubsan_dynamic_type_cache_miss,
|
|
ubsan_float_cast_overflow,
|
|
ubsan_function_type_mismatch,
|
|
ubsan_implicit_conversion,
|
|
ubsan_invalid_builtin,
|
|
ubsan_invalid_objc_cast,
|
|
ubsan_load_invalid_value,
|
|
ubsan_missing_return,
|
|
ubsan_mul_overflow,
|
|
ubsan_negate_overflow,
|
|
ubsan_nullability_arg,
|
|
ubsan_nullability_return,
|
|
ubsan_nonnull_arg,
|
|
ubsan_nonnull_return,
|
|
ubsan_out_of_bounds,
|
|
ubsan_pointer_overflow,
|
|
ubsan_shift_out_of_bounds,
|
|
ubsan_sub_overflow,
|
|
ubsan_type_mismatch,
|
|
ubsan_alignment_assumption,
|
|
ubsan_vla_bound_not_positive,
|
|
};
|
|
|
|
enum {
|
|
type_kind_int = 0,
|
|
type_kind_float = 1,
|
|
type_unknown = 0xffff
|
|
};
|
|
|
|
struct type_descriptor {
|
|
u16 type_kind;
|
|
u16 type_info;
|
|
char type_name[1];
|
|
};
|
|
|
|
struct source_location {
|
|
const char *file_name;
|
|
union {
|
|
unsigned long reported;
|
|
struct {
|
|
u32 line;
|
|
u32 column;
|
|
};
|
|
};
|
|
};
|
|
|
|
struct overflow_data {
|
|
struct source_location location;
|
|
struct type_descriptor *type;
|
|
};
|
|
|
|
struct type_mismatch_data {
|
|
struct source_location location;
|
|
struct type_descriptor *type;
|
|
unsigned long alignment;
|
|
unsigned char type_check_kind;
|
|
};
|
|
|
|
struct type_mismatch_data_v1 {
|
|
struct source_location location;
|
|
struct type_descriptor *type;
|
|
unsigned char log_alignment;
|
|
unsigned char type_check_kind;
|
|
};
|
|
|
|
struct type_mismatch_data_common {
|
|
struct source_location *location;
|
|
struct type_descriptor *type;
|
|
unsigned long alignment;
|
|
unsigned char type_check_kind;
|
|
};
|
|
|
|
struct nonnull_arg_data {
|
|
struct source_location location;
|
|
struct source_location attr_location;
|
|
int arg_index;
|
|
};
|
|
|
|
struct out_of_bounds_data {
|
|
struct source_location location;
|
|
struct type_descriptor *array_type;
|
|
struct type_descriptor *index_type;
|
|
};
|
|
|
|
struct shift_out_of_bounds_data {
|
|
struct source_location location;
|
|
struct type_descriptor *lhs_type;
|
|
struct type_descriptor *rhs_type;
|
|
};
|
|
|
|
struct unreachable_data {
|
|
struct source_location location;
|
|
};
|
|
|
|
struct invalid_value_data {
|
|
struct source_location location;
|
|
struct type_descriptor *type;
|
|
};
|
|
|
|
struct alignment_assumption_data {
|
|
struct source_location location;
|
|
struct source_location assumption_location;
|
|
struct type_descriptor *type;
|
|
};
|
|
|
|
#if defined(CONFIG_ARCH_SUPPORTS_INT128)
|
|
typedef __int128 s_max;
|
|
typedef unsigned __int128 u_max;
|
|
#else
|
|
typedef s64 s_max;
|
|
typedef u64 u_max;
|
|
#endif
|
|
|
|
void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs);
|
|
void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs);
|
|
void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs);
|
|
void __ubsan_handle_negate_overflow(void *_data, void *old_val);
|
|
void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs);
|
|
void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr);
|
|
void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr);
|
|
void __ubsan_handle_out_of_bounds(void *_data, void *index);
|
|
void __ubsan_handle_shift_out_of_bounds(void *_data, void *lhs, void *rhs);
|
|
void __ubsan_handle_builtin_unreachable(void *_data);
|
|
void __ubsan_handle_load_invalid_value(void *_data, void *val);
|
|
void __ubsan_handle_alignment_assumption(void *_data, unsigned long ptr,
|
|
unsigned long align,
|
|
unsigned long offset);
|
|
|
|
#endif
|