Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
c6d30853 AR |
2 | config ARCH_HAS_UBSAN_SANITIZE_ALL |
3 | bool | |
4 | ||
277a1085 | 5 | menuconfig UBSAN |
c6d30853 AR |
6 | bool "Undefined behaviour sanity checker" |
7 | help | |
0887a7eb | 8 | This option enables the Undefined Behaviour sanity checker. |
c6d30853 | 9 | Compile-time instrumentation is used to detect various undefined |
0887a7eb KC |
10 | behaviours at runtime. For more details, see: |
11 | Documentation/dev-tools/ubsan.rst | |
12 | ||
277a1085 KC |
13 | if UBSAN |
14 | ||
0887a7eb KC |
15 | config UBSAN_TRAP |
16 | bool "On Sanitizer warnings, abort the running kernel code" | |
79791378 | 17 | depends on !COMPILE_TEST |
0887a7eb KC |
18 | depends on $(cc-option, -fsanitize-undefined-trap-on-error) |
19 | help | |
20 | Building kernels with Sanitizer features enabled tends to grow | |
21 | the kernel size by around 5%, due to adding all the debugging | |
22 | text on failure paths. To avoid this, Sanitizer instrumentation | |
23 | can just issue a trap. This reduces the kernel size overhead but | |
24 | turns all warnings (including potentially harmless conditions) | |
25 | into full exceptions that abort the running kernel code | |
26 | (regardless of context, locks held, etc), which may destabilize | |
27 | the system. For some system builders this is an acceptable | |
28 | trade-off. | |
c6d30853 | 29 | |
cdf8a76f KC |
30 | config CC_HAS_UBSAN_BOUNDS |
31 | def_bool $(cc-option,-fsanitize=bounds) | |
32 | ||
33 | config CC_HAS_UBSAN_ARRAY_BOUNDS | |
34 | def_bool $(cc-option,-fsanitize=array-bounds) | |
35 | ||
277a1085 KC |
36 | config UBSAN_BOUNDS |
37 | bool "Perform array index bounds checking" | |
38 | default UBSAN | |
cdf8a76f | 39 | depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS |
277a1085 KC |
40 | help |
41 | This option enables detection of directly indexed out of bounds | |
42 | array accesses, where the array size is known at compile time. | |
43 | Note that this does not protect array overflows via bad calls | |
44 | to the {str,mem}*cpy() family of functions (that is addressed | |
45 | by CONFIG_FORTIFY_SOURCE). | |
46 | ||
cdf8a76f KC |
47 | config UBSAN_ONLY_BOUNDS |
48 | def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS | |
49 | depends on UBSAN_BOUNDS | |
50 | help | |
51 | This is a weird case: Clang's -fsanitize=bounds includes | |
52 | -fsanitize=local-bounds, but it's trapping-only, so for | |
53 | Clang, we must use -fsanitize=array-bounds when we want | |
54 | traditional array bounds checking enabled. For GCC, we | |
55 | want -fsanitize=bounds. | |
56 | ||
57 | config UBSAN_ARRAY_BOUNDS | |
58 | def_bool CC_HAS_UBSAN_ARRAY_BOUNDS | |
59 | depends on UBSAN_BOUNDS | |
60 | ||
6a6155f6 GP |
61 | config UBSAN_LOCAL_BOUNDS |
62 | bool "Perform array local bounds checking" | |
63 | depends on UBSAN_TRAP | |
cdf8a76f | 64 | depends on $(cc-option,-fsanitize=local-bounds) |
6a6155f6 GP |
65 | help |
66 | This option enables -fsanitize=local-bounds which traps when an | |
cdf8a76f KC |
67 | exception/error is detected. Therefore, it may only be enabled |
68 | with CONFIG_UBSAN_TRAP. | |
69 | ||
6a6155f6 GP |
70 | Enabling this option detects errors due to accesses through a |
71 | pointer that is derived from an object of a statically-known size, | |
72 | where an added offset (which may not be known statically) is | |
73 | out-of-bounds. | |
74 | ||
cdf8a76f | 75 | config UBSAN_SHIFT |
c637693b KC |
76 | bool "Perform checking for bit-shift overflows" |
77 | default UBSAN | |
cdf8a76f | 78 | depends on $(cc-option,-fsanitize=shift) |
c637693b KC |
79 | help |
80 | This option enables -fsanitize=shift which checks for bit-shift | |
81 | operations that overflow to the left or go switch to negative | |
82 | for signed types. | |
cdf8a76f KC |
83 | |
84 | config UBSAN_DIV_ZERO | |
c637693b | 85 | bool "Perform checking for integer divide-by-zero" |
cdf8a76f | 86 | depends on $(cc-option,-fsanitize=integer-divide-by-zero) |
e5d523f1 ND |
87 | # https://github.com/ClangBuiltLinux/linux/issues/1657 |
88 | # https://github.com/llvm/llvm-project/issues/56289 | |
89 | depends on !CC_IS_CLANG | |
c637693b KC |
90 | help |
91 | This option enables -fsanitize=integer-divide-by-zero which checks | |
92 | for integer division by zero. This is effectively redundant with the | |
93 | kernel's existing exception handling, though it can provide greater | |
94 | debugging information under CONFIG_UBSAN_REPORT_FULL. | |
cdf8a76f KC |
95 | |
96 | config UBSAN_UNREACHABLE | |
c637693b KC |
97 | bool "Perform checking for unreachable code" |
98 | # objtool already handles unreachable checking and gets angry about | |
99 | # seeing UBSan instrumentation located in unreachable places. | |
c2f75a43 | 100 | depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) |
cdf8a76f | 101 | depends on $(cc-option,-fsanitize=unreachable) |
c637693b KC |
102 | help |
103 | This option enables -fsanitize=unreachable which checks for control | |
104 | flow reaching an expected-to-be-unreachable position. | |
cdf8a76f | 105 | |
cdf8a76f | 106 | config UBSAN_BOOL |
c637693b KC |
107 | bool "Perform checking for non-boolean values used as boolean" |
108 | default UBSAN | |
cdf8a76f | 109 | depends on $(cc-option,-fsanitize=bool) |
c637693b KC |
110 | help |
111 | This option enables -fsanitize=bool which checks for boolean values being | |
112 | loaded that are neither 0 nor 1. | |
cdf8a76f KC |
113 | |
114 | config UBSAN_ENUM | |
c637693b KC |
115 | bool "Perform checking for out of bounds enum values" |
116 | default UBSAN | |
cdf8a76f | 117 | depends on $(cc-option,-fsanitize=enum) |
c637693b KC |
118 | help |
119 | This option enables -fsanitize=enum which checks for values being loaded | |
120 | into an enum that are outside the range of given values for the given enum. | |
121 | ||
122 | config UBSAN_ALIGNMENT | |
123 | bool "Perform checking for misaligned pointer usage" | |
124 | default !HAVE_EFFICIENT_UNALIGNED_ACCESS | |
125 | depends on !UBSAN_TRAP && !COMPILE_TEST | |
126 | depends on $(cc-option,-fsanitize=alignment) | |
127 | help | |
128 | This option enables the check of unaligned memory accesses. | |
129 | Enabling this option on architectures that support unaligned | |
130 | accesses may produce a lot of false positives. | |
cdf8a76f | 131 | |
c6d30853 AR |
132 | config UBSAN_SANITIZE_ALL |
133 | bool "Enable instrumentation for the entire kernel" | |
c6d30853 AR |
134 | depends on ARCH_HAS_UBSAN_SANITIZE_ALL |
135 | default y | |
136 | help | |
137 | This option activates instrumentation for the entire kernel. | |
138 | If you don't enable this option, you have to explicitly specify | |
139 | UBSAN_SANITIZE := y for the files/directories you want to check for UB. | |
7707535a YS |
140 | Enabling this option will get kernel image size increased |
141 | significantly. | |
c6d30853 | 142 | |
854686f4 JP |
143 | config TEST_UBSAN |
144 | tristate "Module for testing for undefined behavior detection" | |
277a1085 | 145 | depends on m |
854686f4 JP |
146 | help |
147 | This is a test module for UBSAN. | |
148 | It triggers various undefined behavior, and detect it. | |
277a1085 KC |
149 | |
150 | endif # if UBSAN |