169 lines · plain
1# SPDX-License-Identifier: GPL-2.0-only2config ARCH_HAS_UBSAN3 bool4 5menuconfig UBSAN6 bool "Undefined behaviour sanity checker"7 depends on ARCH_HAS_UBSAN8 help9 This option enables the Undefined Behaviour sanity checker.10 Compile-time instrumentation is used to detect various undefined11 behaviours at runtime. For more details, see:12 Documentation/dev-tools/ubsan.rst13 14if UBSAN15 16config UBSAN_TRAP17 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"18 depends on !COMPILE_TEST19 help20 Building kernels with Sanitizer features enabled tends to grow21 the kernel size by around 5%, due to adding all the debugging22 text on failure paths. To avoid this, Sanitizer instrumentation23 can just issue a trap. This reduces the kernel size overhead but24 turns all warnings (including potentially harmless conditions)25 into full exceptions that abort the running kernel code26 (regardless of context, locks held, etc), which may destabilize27 the system. For some system builders this is an acceptable28 trade-off.29 30 Also note that selecting Y will cause your kernel to Oops31 with an "illegal instruction" error with no further details32 when a UBSAN violation occurs. (Except on arm64 and x86, which33 will report which Sanitizer failed.) This may make it hard to34 determine whether an Oops was caused by UBSAN or to figure35 out the details of a UBSAN violation. It makes the kernel log36 output less useful for bug reports.37 38config CC_HAS_UBSAN_BOUNDS_STRICT39 def_bool $(cc-option,-fsanitize=bounds-strict)40 help41 The -fsanitize=bounds-strict option is only available on GCC,42 but uses the more strict handling of arrays that includes knowledge43 of flexible arrays, which is comparable to Clang's regular44 -fsanitize=bounds.45 46config CC_HAS_UBSAN_ARRAY_BOUNDS47 def_bool $(cc-option,-fsanitize=array-bounds)48 help49 Under Clang, the -fsanitize=bounds option is actually composed50 of two more specific options, -fsanitize=array-bounds and51 -fsanitize=local-bounds. However, -fsanitize=local-bounds can52 only be used when trap mode is enabled. (See also the help for53 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds54 so that we can build up the options needed for UBSAN_BOUNDS55 with or without UBSAN_TRAP.56 57config UBSAN_BOUNDS58 bool "Perform array index bounds checking"59 default UBSAN60 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT61 help62 This option enables detection of directly indexed out of bounds63 array accesses, where the array size is known at compile time.64 Note that this does not protect array overflows via bad calls65 to the {str,mem}*cpy() family of functions (that is addressed66 by CONFIG_FORTIFY_SOURCE).67 68config UBSAN_BOUNDS_STRICT69 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT70 help71 GCC's bounds sanitizer. This option is used to select the72 correct options in Makefile.ubsan.73 74config UBSAN_ARRAY_BOUNDS75 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS76 help77 Clang's array bounds sanitizer. This option is used to select78 the correct options in Makefile.ubsan.79 80config UBSAN_LOCAL_BOUNDS81 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP82 help83 This option enables Clang's -fsanitize=local-bounds which traps84 when an access through a pointer that is derived from an object85 of a statically-known size, where an added offset (which may not86 be known statically) is out-of-bounds. Since this option is87 trap-only, it depends on CONFIG_UBSAN_TRAP.88 89config UBSAN_SHIFT90 bool "Perform checking for bit-shift overflows"91 depends on $(cc-option,-fsanitize=shift)92 help93 This option enables -fsanitize=shift which checks for bit-shift94 operations that overflow to the left or go switch to negative95 for signed types.96 97config UBSAN_DIV_ZERO98 bool "Perform checking for integer divide-by-zero"99 depends on $(cc-option,-fsanitize=integer-divide-by-zero)100 # https://github.com/ClangBuiltLinux/linux/issues/1657101 # https://github.com/llvm/llvm-project/issues/56289102 depends on !CC_IS_CLANG103 help104 This option enables -fsanitize=integer-divide-by-zero which checks105 for integer division by zero. This is effectively redundant with the106 kernel's existing exception handling, though it can provide greater107 debugging information under CONFIG_UBSAN_REPORT_FULL.108 109config UBSAN_UNREACHABLE110 bool "Perform checking for unreachable code"111 # objtool already handles unreachable checking and gets angry about112 # seeing UBSan instrumentation located in unreachable places.113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))114 depends on $(cc-option,-fsanitize=unreachable)115 help116 This option enables -fsanitize=unreachable which checks for control117 flow reaching an expected-to-be-unreachable position.118 119config UBSAN_SIGNED_WRAP120 bool "Perform checking for signed arithmetic wrap-around"121 default UBSAN122 depends on !COMPILE_TEST123 # The no_sanitize attribute was introduced in GCC with version 8.124 depends on !CC_IS_GCC || GCC_VERSION >= 80000125 depends on $(cc-option,-fsanitize=signed-integer-overflow)126 help127 This option enables -fsanitize=signed-integer-overflow which checks128 for wrap-around of any arithmetic operations with signed integers.129 This currently performs nearly no instrumentation due to the130 kernel's use of -fno-strict-overflow which converts all would-be131 arithmetic undefined behavior into wrap-around arithmetic. Future132 sanitizer versions will allow for wrap-around checking (rather than133 exclusively undefined behavior).134 135config UBSAN_BOOL136 bool "Perform checking for non-boolean values used as boolean"137 default UBSAN138 depends on $(cc-option,-fsanitize=bool)139 help140 This option enables -fsanitize=bool which checks for boolean values being141 loaded that are neither 0 nor 1.142 143config UBSAN_ENUM144 bool "Perform checking for out of bounds enum values"145 default UBSAN146 depends on $(cc-option,-fsanitize=enum)147 help148 This option enables -fsanitize=enum which checks for values being loaded149 into an enum that are outside the range of given values for the given enum.150 151config UBSAN_ALIGNMENT152 bool "Perform checking for misaligned pointer usage"153 default !HAVE_EFFICIENT_UNALIGNED_ACCESS154 depends on !UBSAN_TRAP && !COMPILE_TEST155 depends on $(cc-option,-fsanitize=alignment)156 help157 This option enables the check of unaligned memory accesses.158 Enabling this option on architectures that support unaligned159 accesses may produce a lot of false positives.160 161config TEST_UBSAN162 tristate "Module for testing for undefined behavior detection"163 depends on m164 help165 This is a test module for UBSAN.166 It triggers various undefined behavior, and detect it.167 168endif # if UBSAN169