Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
918327e9 | 2 | config ARCH_HAS_UBSAN |
c6d30853 AR |
3 | bool |
4 | ||
277a1085 | 5 | menuconfig UBSAN |
c6d30853 AR |
6 | bool "Undefined behaviour sanity checker" |
7 | help | |
0887a7eb | 8 | This option enables the Undefined Behaviour sanity checker. |
c6d30853 | 9 | Compile-time instrumentation is used to detect various undefined |
0887a7eb KC |
10 | behaviours at runtime. For more details, see: |
11 | Documentation/dev-tools/ubsan.rst | |
12 | ||
277a1085 KC |
13 | if UBSAN |
14 | ||
0887a7eb | 15 | config UBSAN_TRAP |
ce661672 | 16 | bool "Abort on Sanitizer warnings (smaller kernel but less verbose)" |
79791378 | 17 | depends on !COMPILE_TEST |
0887a7eb KC |
18 | help |
19 | Building kernels with Sanitizer features enabled tends to grow | |
20 | the kernel size by around 5%, due to adding all the debugging | |
21 | text on failure paths. To avoid this, Sanitizer instrumentation | |
22 | can just issue a trap. This reduces the kernel size overhead but | |
23 | turns all warnings (including potentially harmless conditions) | |
24 | into full exceptions that abort the running kernel code | |
25 | (regardless of context, locks held, etc), which may destabilize | |
26 | the system. For some system builders this is an acceptable | |
27 | trade-off. | |
c6d30853 | 28 | |
ce661672 JH |
29 | Also note that selecting Y will cause your kernel to Oops |
30 | with an "illegal instruction" error with no further details | |
31 | when a UBSAN violation occurs. (Except on arm64, which will | |
32 | report which Sanitizer failed.) This may make it hard to | |
33 | determine whether an Oops was caused by UBSAN or to figure | |
34 | out the details of a UBSAN violation. It makes the kernel log | |
35 | output less useful for bug reports. | |
36 | ||
2d47c695 KC |
37 | config CC_HAS_UBSAN_BOUNDS_STRICT |
38 | def_bool $(cc-option,-fsanitize=bounds-strict) | |
39 | help | |
40 | The -fsanitize=bounds-strict option is only available on GCC, | |
41 | but uses the more strict handling of arrays that includes knowledge | |
42 | of flexible arrays, which is comparable to Clang's regular | |
43 | -fsanitize=bounds. | |
cdf8a76f KC |
44 | |
45 | config CC_HAS_UBSAN_ARRAY_BOUNDS | |
46 | def_bool $(cc-option,-fsanitize=array-bounds) | |
2d47c695 KC |
47 | help |
48 | Under Clang, the -fsanitize=bounds option is actually composed | |
49 | of two more specific options, -fsanitize=array-bounds and | |
50 | -fsanitize=local-bounds. However, -fsanitize=local-bounds can | |
51 | only be used when trap mode is enabled. (See also the help for | |
52 | CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds | |
53 | so that we can build up the options needed for UBSAN_BOUNDS | |
54 | with or without UBSAN_TRAP. | |
cdf8a76f | 55 | |
277a1085 KC |
56 | config UBSAN_BOUNDS |
57 | bool "Perform array index bounds checking" | |
58 | default UBSAN | |
2d47c695 | 59 | depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT |
277a1085 KC |
60 | help |
61 | This option enables detection of directly indexed out of bounds | |
62 | array accesses, where the array size is known at compile time. | |
63 | Note that this does not protect array overflows via bad calls | |
64 | to the {str,mem}*cpy() family of functions (that is addressed | |
65 | by CONFIG_FORTIFY_SOURCE). | |
66 | ||
2d47c695 KC |
67 | config UBSAN_BOUNDS_STRICT |
68 | def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT | |
cdf8a76f | 69 | help |
2d47c695 KC |
70 | GCC's bounds sanitizer. This option is used to select the |
71 | correct options in Makefile.ubsan. | |
cdf8a76f KC |
72 | |
73 | config UBSAN_ARRAY_BOUNDS | |
2d47c695 KC |
74 | def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS |
75 | help | |
76 | Clang's array bounds sanitizer. This option is used to select | |
77 | the correct options in Makefile.ubsan. | |
cdf8a76f | 78 | |
6a6155f6 | 79 | config UBSAN_LOCAL_BOUNDS |
2d47c695 | 80 | def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP |
6a6155f6 | 81 | help |
2d47c695 KC |
82 | This option enables Clang's -fsanitize=local-bounds which traps |
83 | when an access through a pointer that is derived from an object | |
84 | of a statically-known size, where an added offset (which may not | |
85 | be known statically) is out-of-bounds. Since this option is | |
86 | trap-only, it depends on CONFIG_UBSAN_TRAP. | |
6a6155f6 | 87 | |
cdf8a76f | 88 | config UBSAN_SHIFT |
c637693b | 89 | bool "Perform checking for bit-shift overflows" |
cdf8a76f | 90 | depends on $(cc-option,-fsanitize=shift) |
c637693b KC |
91 | help |
92 | This option enables -fsanitize=shift which checks for bit-shift | |
93 | operations that overflow to the left or go switch to negative | |
94 | for signed types. | |
cdf8a76f KC |
95 | |
96 | config UBSAN_DIV_ZERO | |
c637693b | 97 | bool "Perform checking for integer divide-by-zero" |
cdf8a76f | 98 | depends on $(cc-option,-fsanitize=integer-divide-by-zero) |
e5d523f1 ND |
99 | # https://github.com/ClangBuiltLinux/linux/issues/1657 |
100 | # https://github.com/llvm/llvm-project/issues/56289 | |
101 | depends on !CC_IS_CLANG | |
c637693b KC |
102 | help |
103 | This option enables -fsanitize=integer-divide-by-zero which checks | |
104 | for integer division by zero. This is effectively redundant with the | |
105 | kernel's existing exception handling, though it can provide greater | |
106 | debugging information under CONFIG_UBSAN_REPORT_FULL. | |
cdf8a76f KC |
107 | |
108 | config UBSAN_UNREACHABLE | |
c637693b KC |
109 | bool "Perform checking for unreachable code" |
110 | # objtool already handles unreachable checking and gets angry about | |
111 | # seeing UBSan instrumentation located in unreachable places. | |
c2f75a43 | 112 | depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) |
cdf8a76f | 113 | depends on $(cc-option,-fsanitize=unreachable) |
c637693b KC |
114 | help |
115 | This option enables -fsanitize=unreachable which checks for control | |
116 | flow reaching an expected-to-be-unreachable position. | |
cdf8a76f | 117 | |
557f8c58 KC |
118 | config UBSAN_SIGNED_WRAP |
119 | bool "Perform checking for signed arithmetic wrap-around" | |
120 | default UBSAN | |
121 | depends on !COMPILE_TEST | |
77fcc347 KC |
122 | # The no_sanitize attribute was introduced in GCC with version 8. |
123 | depends on !CC_IS_GCC || GCC_VERSION >= 80000 | |
557f8c58 KC |
124 | depends on $(cc-option,-fsanitize=signed-integer-overflow) |
125 | help | |
126 | This option enables -fsanitize=signed-integer-overflow which checks | |
127 | for wrap-around of any arithmetic operations with signed integers. | |
128 | This currently performs nearly no instrumentation due to the | |
129 | kernel's use of -fno-strict-overflow which converts all would-be | |
130 | arithmetic undefined behavior into wrap-around arithmetic. Future | |
131 | sanitizer versions will allow for wrap-around checking (rather than | |
132 | exclusively undefined behavior). | |
133 | ||
cdf8a76f | 134 | config UBSAN_BOOL |
c637693b KC |
135 | bool "Perform checking for non-boolean values used as boolean" |
136 | default UBSAN | |
cdf8a76f | 137 | depends on $(cc-option,-fsanitize=bool) |
c637693b KC |
138 | help |
139 | This option enables -fsanitize=bool which checks for boolean values being | |
140 | loaded that are neither 0 nor 1. | |
cdf8a76f KC |
141 | |
142 | config UBSAN_ENUM | |
c637693b KC |
143 | bool "Perform checking for out of bounds enum values" |
144 | default UBSAN | |
cdf8a76f | 145 | depends on $(cc-option,-fsanitize=enum) |
c637693b KC |
146 | help |
147 | This option enables -fsanitize=enum which checks for values being loaded | |
148 | into an enum that are outside the range of given values for the given enum. | |
149 | ||
150 | config UBSAN_ALIGNMENT | |
151 | bool "Perform checking for misaligned pointer usage" | |
152 | default !HAVE_EFFICIENT_UNALIGNED_ACCESS | |
153 | depends on !UBSAN_TRAP && !COMPILE_TEST | |
154 | depends on $(cc-option,-fsanitize=alignment) | |
155 | help | |
156 | This option enables the check of unaligned memory accesses. | |
157 | Enabling this option on architectures that support unaligned | |
158 | accesses may produce a lot of false positives. | |
cdf8a76f | 159 | |
854686f4 JP |
160 | config TEST_UBSAN |
161 | tristate "Module for testing for undefined behavior detection" | |
277a1085 | 162 | depends on m |
854686f4 JP |
163 | help |
164 | This is a test module for UBSAN. | |
165 | It triggers various undefined behavior, and detect it. | |
277a1085 KC |
166 | |
167 | endif # if UBSAN |