| # SPDX-License-Identifier: GPL-2.0-only |
| config ARCH_HAS_UBSAN_SANITIZE_ALL |
| bool |
| |
| menuconfig UBSAN |
| bool "Undefined behaviour sanity checker" |
| help |
| This option enables the Undefined Behaviour sanity checker. |
| Compile-time instrumentation is used to detect various undefined |
| behaviours at runtime. For more details, see: |
| Documentation/dev-tools/ubsan.rst |
| |
| if UBSAN |
| |
| config UBSAN_TRAP |
| bool "On Sanitizer warnings, abort the running kernel code" |
| depends on $(cc-option, -fsanitize-undefined-trap-on-error) |
| help |
| Building kernels with Sanitizer features enabled tends to grow |
| the kernel size by around 5%, due to adding all the debugging |
| text on failure paths. To avoid this, Sanitizer instrumentation |
| can just issue a trap. This reduces the kernel size overhead but |
| turns all warnings (including potentially harmless conditions) |
| into full exceptions that abort the running kernel code |
| (regardless of context, locks held, etc), which may destabilize |
| the system. For some system builders this is an acceptable |
| trade-off. |
| |
| config UBSAN_KCOV_BROKEN |
| def_bool KCOV && CC_HAS_SANCOV_TRACE_PC |
| depends on CC_IS_CLANG |
| depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc) |
| help |
| Some versions of clang support either UBSAN or KCOV but not the |
| combination of the two. |
| See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status |
| in newer releases. |
| |
| config UBSAN_BOUNDS |
| bool "Perform array index bounds checking" |
| default UBSAN |
| depends on !UBSAN_KCOV_BROKEN |
| help |
| This option enables detection of directly indexed out of bounds |
| array accesses, where the array size is known at compile time. |
| Note that this does not protect array overflows via bad calls |
| to the {str,mem}*cpy() family of functions (that is addressed |
| by CONFIG_FORTIFY_SOURCE). |
| |
| config UBSAN_LOCAL_BOUNDS |
| bool "Perform array local bounds checking" |
| depends on UBSAN_TRAP |
| depends on CC_IS_CLANG |
| depends on !UBSAN_KCOV_BROKEN |
| help |
| This option enables -fsanitize=local-bounds which traps when an |
| exception/error is detected. Therefore, it should be enabled only |
| if trapping is expected. |
| Enabling this option detects errors due to accesses through a |
| pointer that is derived from an object of a statically-known size, |
| where an added offset (which may not be known statically) is |
| out-of-bounds. |
| |
| config UBSAN_MISC |
| bool "Enable all other Undefined Behavior sanity checks" |
| default UBSAN |
| help |
| This option enables all sanity checks that don't have their |
| own Kconfig options. Disable this if you only want to have |
| individually selected checks. |
| |
| config UBSAN_SANITIZE_ALL |
| bool "Enable instrumentation for the entire kernel" |
| depends on ARCH_HAS_UBSAN_SANITIZE_ALL |
| depends on !COMPILE_TEST |
| default y |
| help |
| This option activates instrumentation for the entire kernel. |
| If you don't enable this option, you have to explicitly specify |
| UBSAN_SANITIZE := y for the files/directories you want to check for UB. |
| Enabling this option will get kernel image size increased |
| significantly. |
| |
| config UBSAN_ALIGNMENT |
| bool "Enable checks for pointers alignment" |
| default !HAVE_EFFICIENT_UNALIGNED_ACCESS |
| depends on !UBSAN_TRAP |
| help |
| This option enables the check of unaligned memory accesses. |
| Enabling this option on architectures that support unaligned |
| accesses may produce a lot of false positives. |
| |
| config TEST_UBSAN |
| tristate "Module for testing for undefined behavior detection" |
| depends on m |
| help |
| This is a test module for UBSAN. |
| It triggers various undefined behavior, and detect it. |
| |
| endif # if UBSAN |