blob: 59e21bfec188cc060a5426c88c1a8eb387956fea [file] [log] [blame]
Thomas Gleixnerec8f24b2019-05-19 13:07:45 +01001# SPDX-License-Identifier: GPL-2.0-only
Andrey Ryabininc6d30852016-01-20 15:00:55 -08002config ARCH_HAS_UBSAN_SANITIZE_ALL
3 bool
4
Kees Cook277a1082020-04-06 20:12:31 -07005menuconfig UBSAN
Andrey Ryabininc6d30852016-01-20 15:00:55 -08006 bool "Undefined behaviour sanity checker"
7 help
Kees Cook0887a7e2020-04-06 20:12:27 -07008 This option enables the Undefined Behaviour sanity checker.
Andrey Ryabininc6d30852016-01-20 15:00:55 -08009 Compile-time instrumentation is used to detect various undefined
Kees Cook0887a7e2020-04-06 20:12:27 -070010 behaviours at runtime. For more details, see:
11 Documentation/dev-tools/ubsan.rst
12
Kees Cook277a1082020-04-06 20:12:31 -070013if UBSAN
14
Kees Cook0887a7e2020-04-06 20:12:27 -070015config UBSAN_TRAP
Jann Hornce661672023-07-05 23:51:27 +020016 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
Kees Cook797913782020-12-15 20:46:31 -080017 depends on !COMPILE_TEST
Kees Cook0887a7e2020-04-06 20:12:27 -070018 help
19 Building kernels with Sanitizer features enabled tends to grow
20 the kernel size by around 5%, due to adding all the debugging
21 text on failure paths. To avoid this, Sanitizer instrumentation
22 can just issue a trap. This reduces the kernel size overhead but
23 turns all warnings (including potentially harmless conditions)
24 into full exceptions that abort the running kernel code
25 (regardless of context, locks held, etc), which may destabilize
26 the system. For some system builders this is an acceptable
27 trade-off.
Andrey Ryabininc6d30852016-01-20 15:00:55 -080028
Jann Hornce661672023-07-05 23:51:27 +020029 Also note that selecting Y will cause your kernel to Oops
30 with an "illegal instruction" error with no further details
31 when a UBSAN violation occurs. (Except on arm64, which will
32 report which Sanitizer failed.) This may make it hard to
33 determine whether an Oops was caused by UBSAN or to figure
34 out the details of a UBSAN violation. It makes the kernel log
35 output less useful for bug reports.
36
Kees Cook2d47c692023-04-04 19:23:59 -070037config CC_HAS_UBSAN_BOUNDS_STRICT
38 def_bool $(cc-option,-fsanitize=bounds-strict)
39 help
40 The -fsanitize=bounds-strict option is only available on GCC,
41 but uses the more strict handling of arrays that includes knowledge
42 of flexible arrays, which is comparable to Clang's regular
43 -fsanitize=bounds.
Kees Cookcdf8a762020-12-15 20:46:24 -080044
45config CC_HAS_UBSAN_ARRAY_BOUNDS
46 def_bool $(cc-option,-fsanitize=array-bounds)
Kees Cook2d47c692023-04-04 19:23:59 -070047 help
48 Under Clang, the -fsanitize=bounds option is actually composed
49 of two more specific options, -fsanitize=array-bounds and
50 -fsanitize=local-bounds. However, -fsanitize=local-bounds can
51 only be used when trap mode is enabled. (See also the help for
52 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
53 so that we can build up the options needed for UBSAN_BOUNDS
54 with or without UBSAN_TRAP.
Kees Cookcdf8a762020-12-15 20:46:24 -080055
Kees Cook277a1082020-04-06 20:12:31 -070056config UBSAN_BOUNDS
57 bool "Perform array index bounds checking"
58 default UBSAN
Kees Cook2d47c692023-04-04 19:23:59 -070059 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
Kees Cook277a1082020-04-06 20:12:31 -070060 help
61 This option enables detection of directly indexed out of bounds
62 array accesses, where the array size is known at compile time.
63 Note that this does not protect array overflows via bad calls
64 to the {str,mem}*cpy() family of functions (that is addressed
65 by CONFIG_FORTIFY_SOURCE).
66
Kees Cook2d47c692023-04-04 19:23:59 -070067config UBSAN_BOUNDS_STRICT
68 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
Kees Cookcdf8a762020-12-15 20:46:24 -080069 help
Kees Cook2d47c692023-04-04 19:23:59 -070070 GCC's bounds sanitizer. This option is used to select the
71 correct options in Makefile.ubsan.
Kees Cookcdf8a762020-12-15 20:46:24 -080072
73config UBSAN_ARRAY_BOUNDS
Kees Cook2d47c692023-04-04 19:23:59 -070074 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
75 help
76 Clang's array bounds sanitizer. This option is used to select
77 the correct options in Makefile.ubsan.
Kees Cookcdf8a762020-12-15 20:46:24 -080078
George Popescu6a6155f2020-10-15 20:13:38 -070079config UBSAN_LOCAL_BOUNDS
Kees Cook2d47c692023-04-04 19:23:59 -070080 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
George Popescu6a6155f2020-10-15 20:13:38 -070081 help
Kees Cook2d47c692023-04-04 19:23:59 -070082 This option enables Clang's -fsanitize=local-bounds which traps
83 when an access through a pointer that is derived from an object
84 of a statically-known size, where an added offset (which may not
85 be known statically) is out-of-bounds. Since this option is
86 trap-only, it depends on CONFIG_UBSAN_TRAP.
George Popescu6a6155f2020-10-15 20:13:38 -070087
Kees Cookcdf8a762020-12-15 20:46:24 -080088config UBSAN_SHIFT
Kees Cookc6376932020-12-15 20:46:39 -080089 bool "Perform checking for bit-shift overflows"
90 default UBSAN
Kees Cookcdf8a762020-12-15 20:46:24 -080091 depends on $(cc-option,-fsanitize=shift)
Kees Cookc6376932020-12-15 20:46:39 -080092 help
93 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left or go switch to negative
95 for signed types.
Kees Cookcdf8a762020-12-15 20:46:24 -080096
97config UBSAN_DIV_ZERO
Kees Cookc6376932020-12-15 20:46:39 -080098 bool "Perform checking for integer divide-by-zero"
Kees Cookcdf8a762020-12-15 20:46:24 -080099 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
Nick Desaulnierse5d523f2022-07-14 13:56:43 -0700100 # https://github.com/ClangBuiltLinux/linux/issues/1657
101 # https://github.com/llvm/llvm-project/issues/56289
102 depends on !CC_IS_CLANG
Kees Cookc6376932020-12-15 20:46:39 -0800103 help
104 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_UBSAN_REPORT_FULL.
Kees Cookcdf8a762020-12-15 20:46:24 -0800108
109config UBSAN_UNREACHABLE
Kees Cookc6376932020-12-15 20:46:39 -0800110 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located in unreachable places.
Josh Poimboeufc2f75a42022-06-01 09:42:12 -0700113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
Kees Cookcdf8a762020-12-15 20:46:24 -0800114 depends on $(cc-option,-fsanitize=unreachable)
Kees Cookc6376932020-12-15 20:46:39 -0800115 help
116 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unreachable position.
Kees Cookcdf8a762020-12-15 20:46:24 -0800118
Kees Cookcdf8a762020-12-15 20:46:24 -0800119config UBSAN_BOOL
Kees Cookc6376932020-12-15 20:46:39 -0800120 bool "Perform checking for non-boolean values used as boolean"
121 default UBSAN
Kees Cookcdf8a762020-12-15 20:46:24 -0800122 depends on $(cc-option,-fsanitize=bool)
Kees Cookc6376932020-12-15 20:46:39 -0800123 help
124 This option enables -fsanitize=bool which checks for boolean values being
125 loaded that are neither 0 nor 1.
Kees Cookcdf8a762020-12-15 20:46:24 -0800126
127config UBSAN_ENUM
Kees Cookc6376932020-12-15 20:46:39 -0800128 bool "Perform checking for out of bounds enum values"
129 default UBSAN
Kees Cookcdf8a762020-12-15 20:46:24 -0800130 depends on $(cc-option,-fsanitize=enum)
Kees Cookc6376932020-12-15 20:46:39 -0800131 help
132 This option enables -fsanitize=enum which checks for values being loaded
133 into an enum that are outside the range of given values for the given enum.
134
135config UBSAN_ALIGNMENT
136 bool "Perform checking for misaligned pointer usage"
137 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
138 depends on !UBSAN_TRAP && !COMPILE_TEST
139 depends on $(cc-option,-fsanitize=alignment)
140 help
141 This option enables the check of unaligned memory accesses.
142 Enabling this option on architectures that support unaligned
143 accesses may produce a lot of false positives.
Kees Cookcdf8a762020-12-15 20:46:24 -0800144
Andrey Ryabininc6d30852016-01-20 15:00:55 -0800145config UBSAN_SANITIZE_ALL
146 bool "Enable instrumentation for the entire kernel"
Andrey Ryabininc6d30852016-01-20 15:00:55 -0800147 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
148 default y
149 help
150 This option activates instrumentation for the entire kernel.
151 If you don't enable this option, you have to explicitly specify
152 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
Yang Shi77075352016-02-11 16:12:55 -0800153 Enabling this option will get kernel image size increased
154 significantly.
Andrey Ryabininc6d30852016-01-20 15:00:55 -0800155
Jinbum Park854686f2018-04-10 16:32:58 -0700156config TEST_UBSAN
157 tristate "Module for testing for undefined behavior detection"
Kees Cook277a1082020-04-06 20:12:31 -0700158 depends on m
Jinbum Park854686f2018-04-10 16:32:58 -0700159 help
160 This is a test module for UBSAN.
161 It triggers various undefined behavior, and detect it.
Kees Cook277a1082020-04-06 20:12:31 -0700162
163endif # if UBSAN