Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 2 | config ARCH_HAS_UBSAN_SANITIZE_ALL |
| 3 | bool |
| 4 | |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 5 | menuconfig UBSAN |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 6 | bool "Undefined behaviour sanity checker" |
| 7 | help |
Kees Cook | 0887a7e | 2020-04-06 20:12:27 -0700 | [diff] [blame] | 8 | This option enables the Undefined Behaviour sanity checker. |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 9 | Compile-time instrumentation is used to detect various undefined |
Kees Cook | 0887a7e | 2020-04-06 20:12:27 -0700 | [diff] [blame] | 10 | behaviours at runtime. For more details, see: |
| 11 | Documentation/dev-tools/ubsan.rst |
| 12 | |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 13 | if UBSAN |
| 14 | |
Kees Cook | 0887a7e | 2020-04-06 20:12:27 -0700 | [diff] [blame] | 15 | config UBSAN_TRAP |
Jann Horn | ce66167 | 2023-07-05 23:51:27 +0200 | [diff] [blame] | 16 | bool "Abort on Sanitizer warnings (smaller kernel but less verbose)" |
Kees Cook | 79791378 | 2020-12-15 20:46:31 -0800 | [diff] [blame] | 17 | depends on !COMPILE_TEST |
Kees Cook | 0887a7e | 2020-04-06 20:12:27 -0700 | [diff] [blame] | 18 | help |
| 19 | Building kernels with Sanitizer features enabled tends to grow |
| 20 | the kernel size by around 5%, due to adding all the debugging |
| 21 | text on failure paths. To avoid this, Sanitizer instrumentation |
| 22 | can just issue a trap. This reduces the kernel size overhead but |
| 23 | turns all warnings (including potentially harmless conditions) |
| 24 | into full exceptions that abort the running kernel code |
| 25 | (regardless of context, locks held, etc), which may destabilize |
| 26 | the system. For some system builders this is an acceptable |
| 27 | trade-off. |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 28 | |
Jann Horn | ce66167 | 2023-07-05 23:51:27 +0200 | [diff] [blame] | 29 | Also note that selecting Y will cause your kernel to Oops |
| 30 | with an "illegal instruction" error with no further details |
| 31 | when a UBSAN violation occurs. (Except on arm64, which will |
| 32 | report which Sanitizer failed.) This may make it hard to |
| 33 | determine whether an Oops was caused by UBSAN or to figure |
| 34 | out the details of a UBSAN violation. It makes the kernel log |
| 35 | output less useful for bug reports. |
| 36 | |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 37 | config CC_HAS_UBSAN_BOUNDS_STRICT |
| 38 | def_bool $(cc-option,-fsanitize=bounds-strict) |
| 39 | help |
| 40 | The -fsanitize=bounds-strict option is only available on GCC, |
| 41 | but uses the more strict handling of arrays that includes knowledge |
| 42 | of flexible arrays, which is comparable to Clang's regular |
| 43 | -fsanitize=bounds. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 44 | |
| 45 | config CC_HAS_UBSAN_ARRAY_BOUNDS |
| 46 | def_bool $(cc-option,-fsanitize=array-bounds) |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 47 | help |
| 48 | Under Clang, the -fsanitize=bounds option is actually composed |
| 49 | of two more specific options, -fsanitize=array-bounds and |
| 50 | -fsanitize=local-bounds. However, -fsanitize=local-bounds can |
| 51 | only be used when trap mode is enabled. (See also the help for |
| 52 | CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds |
| 53 | so that we can build up the options needed for UBSAN_BOUNDS |
| 54 | with or without UBSAN_TRAP. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 55 | |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 56 | config UBSAN_BOUNDS |
| 57 | bool "Perform array index bounds checking" |
| 58 | default UBSAN |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 59 | depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 60 | help |
| 61 | This option enables detection of directly indexed out of bounds |
| 62 | array accesses, where the array size is known at compile time. |
| 63 | Note that this does not protect array overflows via bad calls |
| 64 | to the {str,mem}*cpy() family of functions (that is addressed |
| 65 | by CONFIG_FORTIFY_SOURCE). |
| 66 | |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 67 | config UBSAN_BOUNDS_STRICT |
| 68 | def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 69 | help |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 70 | GCC's bounds sanitizer. This option is used to select the |
| 71 | correct options in Makefile.ubsan. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 72 | |
| 73 | config UBSAN_ARRAY_BOUNDS |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 74 | def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS |
| 75 | help |
| 76 | Clang's array bounds sanitizer. This option is used to select |
| 77 | the correct options in Makefile.ubsan. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 78 | |
George Popescu | 6a6155f | 2020-10-15 20:13:38 -0700 | [diff] [blame] | 79 | config UBSAN_LOCAL_BOUNDS |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 80 | def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP |
George Popescu | 6a6155f | 2020-10-15 20:13:38 -0700 | [diff] [blame] | 81 | help |
Kees Cook | 2d47c69 | 2023-04-04 19:23:59 -0700 | [diff] [blame] | 82 | This option enables Clang's -fsanitize=local-bounds which traps |
| 83 | when an access through a pointer that is derived from an object |
| 84 | of a statically-known size, where an added offset (which may not |
| 85 | be known statically) is out-of-bounds. Since this option is |
| 86 | trap-only, it depends on CONFIG_UBSAN_TRAP. |
George Popescu | 6a6155f | 2020-10-15 20:13:38 -0700 | [diff] [blame] | 87 | |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 88 | config UBSAN_SHIFT |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 89 | bool "Perform checking for bit-shift overflows" |
| 90 | default UBSAN |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 91 | depends on $(cc-option,-fsanitize=shift) |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 92 | help |
| 93 | This option enables -fsanitize=shift which checks for bit-shift |
| 94 | operations that overflow to the left or go switch to negative |
| 95 | for signed types. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 96 | |
| 97 | config UBSAN_DIV_ZERO |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 98 | bool "Perform checking for integer divide-by-zero" |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 99 | depends on $(cc-option,-fsanitize=integer-divide-by-zero) |
Nick Desaulniers | e5d523f | 2022-07-14 13:56:43 -0700 | [diff] [blame] | 100 | # https://github.com/ClangBuiltLinux/linux/issues/1657 |
| 101 | # https://github.com/llvm/llvm-project/issues/56289 |
| 102 | depends on !CC_IS_CLANG |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 103 | help |
| 104 | This option enables -fsanitize=integer-divide-by-zero which checks |
| 105 | for integer division by zero. This is effectively redundant with the |
| 106 | kernel's existing exception handling, though it can provide greater |
| 107 | debugging information under CONFIG_UBSAN_REPORT_FULL. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 108 | |
| 109 | config UBSAN_UNREACHABLE |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 110 | bool "Perform checking for unreachable code" |
| 111 | # objtool already handles unreachable checking and gets angry about |
| 112 | # seeing UBSan instrumentation located in unreachable places. |
Josh Poimboeuf | c2f75a4 | 2022-06-01 09:42:12 -0700 | [diff] [blame] | 113 | depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 114 | depends on $(cc-option,-fsanitize=unreachable) |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 115 | help |
| 116 | This option enables -fsanitize=unreachable which checks for control |
| 117 | flow reaching an expected-to-be-unreachable position. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 118 | |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 119 | config UBSAN_BOOL |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 120 | bool "Perform checking for non-boolean values used as boolean" |
| 121 | default UBSAN |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 122 | depends on $(cc-option,-fsanitize=bool) |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 123 | help |
| 124 | This option enables -fsanitize=bool which checks for boolean values being |
| 125 | loaded that are neither 0 nor 1. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 126 | |
| 127 | config UBSAN_ENUM |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 128 | bool "Perform checking for out of bounds enum values" |
| 129 | default UBSAN |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 130 | depends on $(cc-option,-fsanitize=enum) |
Kees Cook | c637693 | 2020-12-15 20:46:39 -0800 | [diff] [blame] | 131 | help |
| 132 | This option enables -fsanitize=enum which checks for values being loaded |
| 133 | into an enum that are outside the range of given values for the given enum. |
| 134 | |
| 135 | config UBSAN_ALIGNMENT |
| 136 | bool "Perform checking for misaligned pointer usage" |
| 137 | default !HAVE_EFFICIENT_UNALIGNED_ACCESS |
| 138 | depends on !UBSAN_TRAP && !COMPILE_TEST |
| 139 | depends on $(cc-option,-fsanitize=alignment) |
| 140 | help |
| 141 | This option enables the check of unaligned memory accesses. |
| 142 | Enabling this option on architectures that support unaligned |
| 143 | accesses may produce a lot of false positives. |
Kees Cook | cdf8a76 | 2020-12-15 20:46:24 -0800 | [diff] [blame] | 144 | |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 145 | config UBSAN_SANITIZE_ALL |
| 146 | bool "Enable instrumentation for the entire kernel" |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 147 | depends on ARCH_HAS_UBSAN_SANITIZE_ALL |
| 148 | default y |
| 149 | help |
| 150 | This option activates instrumentation for the entire kernel. |
| 151 | If you don't enable this option, you have to explicitly specify |
| 152 | UBSAN_SANITIZE := y for the files/directories you want to check for UB. |
Yang Shi | 7707535 | 2016-02-11 16:12:55 -0800 | [diff] [blame] | 153 | Enabling this option will get kernel image size increased |
| 154 | significantly. |
Andrey Ryabinin | c6d3085 | 2016-01-20 15:00:55 -0800 | [diff] [blame] | 155 | |
Jinbum Park | 854686f | 2018-04-10 16:32:58 -0700 | [diff] [blame] | 156 | config TEST_UBSAN |
| 157 | tristate "Module for testing for undefined behavior detection" |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 158 | depends on m |
Jinbum Park | 854686f | 2018-04-10 16:32:58 -0700 | [diff] [blame] | 159 | help |
| 160 | This is a test module for UBSAN. |
| 161 | It triggers various undefined behavior, and detect it. |
Kees Cook | 277a108 | 2020-04-06 20:12:31 -0700 | [diff] [blame] | 162 | |
| 163 | endif # if UBSAN |