| # SPDX-License-Identifier: GPL-2.0-only |
| config ARCH_HAS_UBSAN |
| bool |
| |
| menuconfig UBSAN |
| bool "Undefined behaviour sanity checker" |
| depends on ARCH_HAS_UBSAN |
| help |
| This option enables the Undefined Behaviour sanity checker. |
| Compile-time instrumentation is used to detect various undefined |
| behaviours at runtime. For more details, see: |
| Documentation/dev-tools/ubsan.rst |
| |
| if UBSAN |
| |
| config UBSAN_TRAP |
| bool "Abort on Sanitizer warnings (smaller kernel but less verbose)" |
| depends on !COMPILE_TEST |
| help |
| Building kernels with Sanitizer features enabled tends to grow |
| the kernel size by around 5%, due to adding all the debugging |
| text on failure paths. To avoid this, Sanitizer instrumentation |
| can just issue a trap. This reduces the kernel size overhead but |
| turns all warnings (including potentially harmless conditions) |
| into full exceptions that abort the running kernel code |
| (regardless of context, locks held, etc), which may destabilize |
| the system. For some system builders this is an acceptable |
| trade-off. |
| |
| Also note that selecting Y will cause your kernel to Oops |
| with an "illegal instruction" error with no further details |
| when a UBSAN violation occurs. (Except on arm64 and x86, which |
| will report which Sanitizer failed.) This may make it hard to |
| determine whether an Oops was caused by UBSAN or to figure |
| out the details of a UBSAN violation. It makes the kernel log |
| output less useful for bug reports. |
| |
| config CC_HAS_UBSAN_BOUNDS_STRICT |
| def_bool $(cc-option,-fsanitize=bounds-strict) |
| help |
| The -fsanitize=bounds-strict option is only available on GCC, |
| but uses the more strict handling of arrays that includes knowledge |
| of flexible arrays, which is comparable to Clang's regular |
| -fsanitize=bounds. |
| |
| config CC_HAS_UBSAN_ARRAY_BOUNDS |
| def_bool $(cc-option,-fsanitize=array-bounds) |
| help |
| Under Clang, the -fsanitize=bounds option is actually composed |
| of two more specific options, -fsanitize=array-bounds and |
| -fsanitize=local-bounds. However, -fsanitize=local-bounds can |
| only be used when trap mode is enabled. (See also the help for |
| CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds |
| so that we can build up the options needed for UBSAN_BOUNDS |
| with or without UBSAN_TRAP. |
| |
| config UBSAN_BOUNDS |
| bool "Perform array index bounds checking" |
| default UBSAN |
| depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT |
| help |
| This option enables detection of directly indexed out of bounds |
| array accesses, where the array size is known at compile time. |
| Note that this does not protect array overflows via bad calls |
| to the {str,mem}*cpy() family of functions (that is addressed |
| by CONFIG_FORTIFY_SOURCE). |
| |
| config UBSAN_BOUNDS_STRICT |
| def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT |
| help |
| GCC's bounds sanitizer. This option is used to select the |
| correct options in Makefile.ubsan. |
| |
| config UBSAN_ARRAY_BOUNDS |
| def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS |
| help |
| Clang's array bounds sanitizer. This option is used to select |
| the correct options in Makefile.ubsan. |
| |
| config UBSAN_LOCAL_BOUNDS |
| def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP |
| help |
| This option enables Clang's -fsanitize=local-bounds which traps |
| when an access through a pointer that is derived from an object |
| of a statically-known size, where an added offset (which may not |
| be known statically) is out-of-bounds. Since this option is |
| trap-only, it depends on CONFIG_UBSAN_TRAP. |
| |
| config UBSAN_SHIFT |
| bool "Perform checking for bit-shift overflows" |
| depends on $(cc-option,-fsanitize=shift) |
| help |
| This option enables -fsanitize=shift which checks for bit-shift |
| operations that overflow to the left or go switch to negative |
| for signed types. |
| |
| config UBSAN_DIV_ZERO |
| bool "Perform checking for integer divide-by-zero" |
| depends on $(cc-option,-fsanitize=integer-divide-by-zero) |
| # https://github.com/ClangBuiltLinux/linux/issues/1657 |
| # https://github.com/llvm/llvm-project/issues/56289 |
| depends on !CC_IS_CLANG |
| help |
| This option enables -fsanitize=integer-divide-by-zero which checks |
| for integer division by zero. This is effectively redundant with the |
| kernel's existing exception handling, though it can provide greater |
| debugging information under CONFIG_UBSAN_REPORT_FULL. |
| |
| config UBSAN_UNREACHABLE |
| bool "Perform checking for unreachable code" |
| # objtool already handles unreachable checking and gets angry about |
| # seeing UBSan instrumentation located in unreachable places. |
| depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) |
| depends on $(cc-option,-fsanitize=unreachable) |
| help |
| This option enables -fsanitize=unreachable which checks for control |
| flow reaching an expected-to-be-unreachable position. |
| |
| config UBSAN_INTEGER_WRAP |
| bool "Perform checking for integer arithmetic wrap-around" |
| # This is very experimental so drop the next line if you really want it |
| depends on BROKEN |
| depends on !COMPILE_TEST |
| depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all) |
| depends on $(cc-option,-fsanitize=signed-integer-overflow) |
| depends on $(cc-option,-fsanitize=unsigned-integer-overflow) |
| depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) |
| depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) |
| depends on $(cc-option,-fsanitize-ignorelist=/dev/null) |
| help |
| This option enables all of the sanitizers involved in integer overflow |
| (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, |
| implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation. |
| This is currently limited only to the size_t type while testing and |
| compiler development continues. |
| |
| config UBSAN_BOOL |
| bool "Perform checking for non-boolean values used as boolean" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=bool) |
| help |
| This option enables -fsanitize=bool which checks for boolean values being |
| loaded that are neither 0 nor 1. |
| |
| config UBSAN_ENUM |
| bool "Perform checking for out of bounds enum values" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=enum) |
| help |
| This option enables -fsanitize=enum which checks for values being loaded |
| into an enum that are outside the range of given values for the given enum. |
| |
| config UBSAN_ALIGNMENT |
| bool "Perform checking for misaligned pointer usage" |
| default !HAVE_EFFICIENT_UNALIGNED_ACCESS |
| depends on !UBSAN_TRAP && !COMPILE_TEST |
| depends on $(cc-option,-fsanitize=alignment) |
| help |
| This option enables the check of unaligned memory accesses. |
| Enabling this option on architectures that support unaligned |
| accesses may produce a lot of false positives. |
| |
| config TEST_UBSAN |
| tristate "Module for testing for undefined behavior detection" |
| depends on m |
| help |
| This is a test module for UBSAN. |
| It triggers various undefined behavior, and detect it. |
| |
| config UBSAN_KVM_EL2 |
| bool "UBSAN for KVM code at EL2" |
| depends on ARM64 |
| help |
| Enable UBSAN when running on ARM64 with KVM in a split mode |
| (nvhe/hvhe/protected) for the hypervisor code running in EL2. |
| In this mode, any UBSAN violation in EL2 would panic the kernel |
| and information similar to UBSAN_TRAP would be printed. |
| |
| endif # if UBSAN |
