Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
c6d30853 AR |
2 | config ARCH_HAS_UBSAN_SANITIZE_ALL |
3 | bool | |
4 | ||
277a1085 | 5 | menuconfig UBSAN |
c6d30853 AR |
6 | bool "Undefined behaviour sanity checker" |
7 | help | |
0887a7eb | 8 | This option enables the Undefined Behaviour sanity checker. |
c6d30853 | 9 | Compile-time instrumentation is used to detect various undefined |
0887a7eb KC |
10 | behaviours at runtime. For more details, see: |
11 | Documentation/dev-tools/ubsan.rst | |
12 | ||
277a1085 KC |
13 | if UBSAN |
14 | ||
0887a7eb KC |
15 | config UBSAN_TRAP |
16 | bool "On Sanitizer warnings, abort the running kernel code" | |
0887a7eb KC |
17 | depends on $(cc-option, -fsanitize-undefined-trap-on-error) |
18 | help | |
19 | Building kernels with Sanitizer features enabled tends to grow | |
20 | the kernel size by around 5%, due to adding all the debugging | |
21 | text on failure paths. To avoid this, Sanitizer instrumentation | |
22 | can just issue a trap. This reduces the kernel size overhead but | |
23 | turns all warnings (including potentially harmless conditions) | |
24 | into full exceptions that abort the running kernel code | |
25 | (regardless of context, locks held, etc), which may destabilize | |
26 | the system. For some system builders this is an acceptable | |
27 | trade-off. | |
c6d30853 | 28 | |
ea91a1d4 AB |
29 | config UBSAN_KCOV_BROKEN |
30 | def_bool KCOV && CC_HAS_SANCOV_TRACE_PC | |
31 | depends on CC_IS_CLANG | |
32 | depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc) | |
33 | help | |
34 | Some versions of clang support either UBSAN or KCOV but not the | |
35 | combination of the two. | |
36 | See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status | |
37 | in newer releases. | |
38 | ||
cdf8a76f KC |
39 | config CC_HAS_UBSAN_BOUNDS |
40 | def_bool $(cc-option,-fsanitize=bounds) | |
41 | ||
42 | config CC_HAS_UBSAN_ARRAY_BOUNDS | |
43 | def_bool $(cc-option,-fsanitize=array-bounds) | |
44 | ||
277a1085 KC |
45 | config UBSAN_BOUNDS |
46 | bool "Perform array index bounds checking" | |
47 | default UBSAN | |
ea91a1d4 | 48 | depends on !UBSAN_KCOV_BROKEN |
cdf8a76f | 49 | depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS |
277a1085 KC |
50 | help |
51 | This option enables detection of directly indexed out of bounds | |
52 | array accesses, where the array size is known at compile time. | |
53 | Note that this does not protect array overflows via bad calls | |
54 | to the {str,mem}*cpy() family of functions (that is addressed | |
55 | by CONFIG_FORTIFY_SOURCE). | |
56 | ||
cdf8a76f KC |
57 | config UBSAN_ONLY_BOUNDS |
58 | def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS | |
59 | depends on UBSAN_BOUNDS | |
60 | help | |
61 | This is a weird case: Clang's -fsanitize=bounds includes | |
62 | -fsanitize=local-bounds, but it's trapping-only, so for | |
63 | Clang, we must use -fsanitize=array-bounds when we want | |
64 | traditional array bounds checking enabled. For GCC, we | |
65 | want -fsanitize=bounds. | |
66 | ||
67 | config UBSAN_ARRAY_BOUNDS | |
68 | def_bool CC_HAS_UBSAN_ARRAY_BOUNDS | |
69 | depends on UBSAN_BOUNDS | |
70 | ||
6a6155f6 GP |
71 | config UBSAN_LOCAL_BOUNDS |
72 | bool "Perform array local bounds checking" | |
73 | depends on UBSAN_TRAP | |
6a6155f6 | 74 | depends on !UBSAN_KCOV_BROKEN |
cdf8a76f | 75 | depends on $(cc-option,-fsanitize=local-bounds) |
6a6155f6 GP |
76 | help |
77 | This option enables -fsanitize=local-bounds which traps when an | |
cdf8a76f KC |
78 | exception/error is detected. Therefore, it may only be enabled |
79 | with CONFIG_UBSAN_TRAP. | |
80 | ||
6a6155f6 GP |
81 | Enabling this option detects errors due to accesses through a |
82 | pointer that is derived from an object of a statically-known size, | |
83 | where an added offset (which may not be known statically) is | |
84 | out-of-bounds. | |
85 | ||
277a1085 KC |
86 | config UBSAN_MISC |
87 | bool "Enable all other Undefined Behavior sanity checks" | |
88 | default UBSAN | |
89 | help | |
90 | This option enables all sanity checks that don't have their | |
91 | own Kconfig options. Disable this if you only want to have | |
92 | individually selected checks. | |
93 | ||
cdf8a76f KC |
94 | config UBSAN_SHIFT |
95 | def_bool UBSAN_MISC | |
96 | depends on $(cc-option,-fsanitize=shift) | |
97 | ||
98 | config UBSAN_DIV_ZERO | |
99 | def_bool UBSAN_MISC | |
100 | depends on $(cc-option,-fsanitize=integer-divide-by-zero) | |
101 | ||
102 | config UBSAN_UNREACHABLE | |
103 | def_bool UBSAN_MISC | |
104 | depends on $(cc-option,-fsanitize=unreachable) | |
105 | ||
106 | config UBSAN_SIGNED_OVERFLOW | |
107 | def_bool UBSAN_MISC | |
108 | depends on $(cc-option,-fsanitize=signed-integer-overflow) | |
109 | ||
110 | config UBSAN_UNSIGNED_OVERFLOW | |
111 | def_bool UBSAN_MISC | |
112 | depends on $(cc-option,-fsanitize=unsigned-integer-overflow) | |
113 | ||
114 | config UBSAN_OBJECT_SIZE | |
115 | def_bool UBSAN_MISC | |
116 | depends on $(cc-option,-fsanitize=object-size) | |
117 | ||
118 | config UBSAN_BOOL | |
119 | def_bool UBSAN_MISC | |
120 | depends on $(cc-option,-fsanitize=bool) | |
121 | ||
122 | config UBSAN_ENUM | |
123 | def_bool UBSAN_MISC | |
124 | depends on $(cc-option,-fsanitize=enum) | |
125 | ||
c6d30853 AR |
126 | config UBSAN_SANITIZE_ALL |
127 | bool "Enable instrumentation for the entire kernel" | |
c6d30853 | 128 | depends on ARCH_HAS_UBSAN_SANITIZE_ALL |
dde5cf39 | 129 | depends on !COMPILE_TEST |
c6d30853 AR |
130 | default y |
131 | help | |
132 | This option activates instrumentation for the entire kernel. | |
133 | If you don't enable this option, you have to explicitly specify | |
134 | UBSAN_SANITIZE := y for the files/directories you want to check for UB. | |
7707535a YS |
135 | Enabling this option will get kernel image size increased |
136 | significantly. | |
c6d30853 | 137 | |
8d58f222 KC |
138 | config UBSAN_ALIGNMENT |
139 | bool "Enable checks for pointers alignment" | |
140 | default !HAVE_EFFICIENT_UNALIGNED_ACCESS | |
9380ce24 | 141 | depends on !UBSAN_TRAP |
cdf8a76f | 142 | depends on $(cc-option,-fsanitize=alignment) |
c6d30853 | 143 | help |
8d58f222 KC |
144 | This option enables the check of unaligned memory accesses. |
145 | Enabling this option on architectures that support unaligned | |
c6d30853 | 146 | accesses may produce a lot of false positives. |
725c4d22 | 147 | |
854686f4 JP |
148 | config TEST_UBSAN |
149 | tristate "Module for testing for undefined behavior detection" | |
277a1085 | 150 | depends on m |
854686f4 JP |
151 | help |
152 | This is a test module for UBSAN. | |
153 | It triggers various undefined behavior, and detect it. | |
277a1085 KC |
154 | |
155 | endif # if UBSAN |