c637693b20
Make each UBSAN option individually selectable and remove UBSAN_MISC which no longer has any purpose. Add help text for each Kconfig, and include a reference to the Clang sanitizer documentation. Disable unsigned overflow by default (not available with GCC and makes x86 unbootable with Clang). Disable unreachable when objtool is in use (redundant and confuses things: instrumentation appears at unreachable locations). Link: https://lkml.kernel.org/r/20201203004437.389959-7-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: George Popescu <georgepope@android.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Marco Elver <elver@google.com> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Michal Marek <michal.lkml@markovi.net> Cc: Nathan Chancellor <natechancellor@gmail.com> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
189 lines
6.9 KiB
Plaintext
189 lines
6.9 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config ARCH_HAS_UBSAN_SANITIZE_ALL
|
|
bool
|
|
|
|
menuconfig UBSAN
|
|
bool "Undefined behaviour sanity checker"
|
|
help
|
|
This option enables the Undefined Behaviour sanity checker.
|
|
Compile-time instrumentation is used to detect various undefined
|
|
behaviours at runtime. For more details, see:
|
|
Documentation/dev-tools/ubsan.rst
|
|
|
|
if UBSAN
|
|
|
|
config UBSAN_TRAP
|
|
bool "On Sanitizer warnings, abort the running kernel code"
|
|
depends on !COMPILE_TEST
|
|
depends on $(cc-option, -fsanitize-undefined-trap-on-error)
|
|
help
|
|
Building kernels with Sanitizer features enabled tends to grow
|
|
the kernel size by around 5%, due to adding all the debugging
|
|
text on failure paths. To avoid this, Sanitizer instrumentation
|
|
can just issue a trap. This reduces the kernel size overhead but
|
|
turns all warnings (including potentially harmless conditions)
|
|
into full exceptions that abort the running kernel code
|
|
(regardless of context, locks held, etc), which may destabilize
|
|
the system. For some system builders this is an acceptable
|
|
trade-off.
|
|
|
|
config UBSAN_KCOV_BROKEN
|
|
def_bool KCOV && CC_HAS_SANCOV_TRACE_PC
|
|
depends on CC_IS_CLANG
|
|
depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc)
|
|
help
|
|
Some versions of clang support either UBSAN or KCOV but not the
|
|
combination of the two.
|
|
See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
|
|
in newer releases.
|
|
|
|
config CC_HAS_UBSAN_BOUNDS
|
|
def_bool $(cc-option,-fsanitize=bounds)
|
|
|
|
config CC_HAS_UBSAN_ARRAY_BOUNDS
|
|
def_bool $(cc-option,-fsanitize=array-bounds)
|
|
|
|
config UBSAN_BOUNDS
|
|
bool "Perform array index bounds checking"
|
|
default UBSAN
|
|
depends on !UBSAN_KCOV_BROKEN
|
|
depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
|
|
help
|
|
This option enables detection of directly indexed out of bounds
|
|
array accesses, where the array size is known at compile time.
|
|
Note that this does not protect array overflows via bad calls
|
|
to the {str,mem}*cpy() family of functions (that is addressed
|
|
by CONFIG_FORTIFY_SOURCE).
|
|
|
|
config UBSAN_ONLY_BOUNDS
|
|
def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
|
|
depends on UBSAN_BOUNDS
|
|
help
|
|
This is a weird case: Clang's -fsanitize=bounds includes
|
|
-fsanitize=local-bounds, but it's trapping-only, so for
|
|
Clang, we must use -fsanitize=array-bounds when we want
|
|
traditional array bounds checking enabled. For GCC, we
|
|
want -fsanitize=bounds.
|
|
|
|
config UBSAN_ARRAY_BOUNDS
|
|
def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
|
|
depends on UBSAN_BOUNDS
|
|
|
|
config UBSAN_LOCAL_BOUNDS
|
|
bool "Perform array local bounds checking"
|
|
depends on UBSAN_TRAP
|
|
depends on !UBSAN_KCOV_BROKEN
|
|
depends on $(cc-option,-fsanitize=local-bounds)
|
|
help
|
|
This option enables -fsanitize=local-bounds which traps when an
|
|
exception/error is detected. Therefore, it may only be enabled
|
|
with CONFIG_UBSAN_TRAP.
|
|
|
|
Enabling this option detects errors due to accesses through a
|
|
pointer that is derived from an object of a statically-known size,
|
|
where an added offset (which may not be known statically) is
|
|
out-of-bounds.
|
|
|
|
config UBSAN_SHIFT
|
|
bool "Perform checking for bit-shift overflows"
|
|
default UBSAN
|
|
depends on $(cc-option,-fsanitize=shift)
|
|
help
|
|
This option enables -fsanitize=shift which checks for bit-shift
|
|
operations that overflow to the left or go switch to negative
|
|
for signed types.
|
|
|
|
config UBSAN_DIV_ZERO
|
|
bool "Perform checking for integer divide-by-zero"
|
|
depends on $(cc-option,-fsanitize=integer-divide-by-zero)
|
|
help
|
|
This option enables -fsanitize=integer-divide-by-zero which checks
|
|
for integer division by zero. This is effectively redundant with the
|
|
kernel's existing exception handling, though it can provide greater
|
|
debugging information under CONFIG_UBSAN_REPORT_FULL.
|
|
|
|
config UBSAN_UNREACHABLE
|
|
bool "Perform checking for unreachable code"
|
|
# objtool already handles unreachable checking and gets angry about
|
|
# seeing UBSan instrumentation located in unreachable places.
|
|
depends on !STACK_VALIDATION
|
|
depends on $(cc-option,-fsanitize=unreachable)
|
|
help
|
|
This option enables -fsanitize=unreachable which checks for control
|
|
flow reaching an expected-to-be-unreachable position.
|
|
|
|
config UBSAN_SIGNED_OVERFLOW
|
|
bool "Perform checking for signed arithmetic overflow"
|
|
default UBSAN
|
|
depends on $(cc-option,-fsanitize=signed-integer-overflow)
|
|
help
|
|
This option enables -fsanitize=signed-integer-overflow which checks
|
|
for overflow of any arithmetic operations with signed integers.
|
|
|
|
config UBSAN_UNSIGNED_OVERFLOW
|
|
bool "Perform checking for unsigned arithmetic overflow"
|
|
depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
|
|
help
|
|
This option enables -fsanitize=unsigned-integer-overflow which checks
|
|
for overflow of any arithmetic operations with unsigned integers. This
|
|
currently causes x86 to fail to boot.
|
|
|
|
config UBSAN_OBJECT_SIZE
|
|
bool "Perform checking for accesses beyond the end of objects"
|
|
default UBSAN
|
|
# gcc hugely expands stack usage with -fsanitize=object-size
|
|
# https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
|
|
depends on !CC_IS_GCC
|
|
depends on $(cc-option,-fsanitize=object-size)
|
|
help
|
|
This option enables -fsanitize=object-size which checks for accesses
|
|
beyond the end of objects where the optimizer can determine both the
|
|
object being operated on and its size, usually seen with bad downcasts,
|
|
or access to struct members from NULL pointers.
|
|
|
|
config UBSAN_BOOL
|
|
bool "Perform checking for non-boolean values used as boolean"
|
|
default UBSAN
|
|
depends on $(cc-option,-fsanitize=bool)
|
|
help
|
|
This option enables -fsanitize=bool which checks for boolean values being
|
|
loaded that are neither 0 nor 1.
|
|
|
|
config UBSAN_ENUM
|
|
bool "Perform checking for out of bounds enum values"
|
|
default UBSAN
|
|
depends on $(cc-option,-fsanitize=enum)
|
|
help
|
|
This option enables -fsanitize=enum which checks for values being loaded
|
|
into an enum that are outside the range of given values for the given enum.
|
|
|
|
config UBSAN_ALIGNMENT
|
|
bool "Perform checking for misaligned pointer usage"
|
|
default !HAVE_EFFICIENT_UNALIGNED_ACCESS
|
|
depends on !UBSAN_TRAP && !COMPILE_TEST
|
|
depends on $(cc-option,-fsanitize=alignment)
|
|
help
|
|
This option enables the check of unaligned memory accesses.
|
|
Enabling this option on architectures that support unaligned
|
|
accesses may produce a lot of false positives.
|
|
|
|
config UBSAN_SANITIZE_ALL
|
|
bool "Enable instrumentation for the entire kernel"
|
|
depends on ARCH_HAS_UBSAN_SANITIZE_ALL
|
|
default y
|
|
help
|
|
This option activates instrumentation for the entire kernel.
|
|
If you don't enable this option, you have to explicitly specify
|
|
UBSAN_SANITIZE := y for the files/directories you want to check for UB.
|
|
Enabling this option will get kernel image size increased
|
|
significantly.
|
|
|
|
config TEST_UBSAN
|
|
tristate "Module for testing for undefined behavior detection"
|
|
depends on m
|
|
help
|
|
This is a test module for UBSAN.
|
|
It triggers various undefined behavior, and detect it.
|
|
|
|
endif # if UBSAN
|