Kconfig.ubsan 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. config ARCH_HAS_UBSAN
  3. bool
  4. menuconfig UBSAN
  5. bool "Undefined behaviour sanity checker"
  6. depends on ARCH_HAS_UBSAN
  7. help
  8. This option enables the Undefined Behaviour sanity checker.
  9. Compile-time instrumentation is used to detect various undefined
  10. behaviours at runtime. For more details, see:
  11. Documentation/dev-tools/ubsan.rst
  12. if UBSAN
  13. config UBSAN_TRAP
  14. bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
  15. depends on !COMPILE_TEST
  16. help
  17. Building kernels with Sanitizer features enabled tends to grow
  18. the kernel size by around 5%, due to adding all the debugging
  19. text on failure paths. To avoid this, Sanitizer instrumentation
  20. can just issue a trap. This reduces the kernel size overhead but
  21. turns all warnings (including potentially harmless conditions)
  22. into full exceptions that abort the running kernel code
  23. (regardless of context, locks held, etc), which may destabilize
  24. the system. For some system builders this is an acceptable
  25. trade-off.
  26. Also note that selecting Y will cause your kernel to Oops
  27. with an "illegal instruction" error with no further details
  28. when a UBSAN violation occurs. (Except on arm64 and x86, which
  29. will report which Sanitizer failed.) This may make it hard to
  30. determine whether an Oops was caused by UBSAN or to figure
  31. out the details of a UBSAN violation. It makes the kernel log
  32. output less useful for bug reports.
  33. config CC_HAS_UBSAN_BOUNDS_STRICT
  34. def_bool $(cc-option,-fsanitize=bounds-strict)
  35. help
  36. The -fsanitize=bounds-strict option is only available on GCC,
  37. but uses the more strict handling of arrays that includes knowledge
  38. of flexible arrays, which is comparable to Clang's regular
  39. -fsanitize=bounds.
  40. config CC_HAS_UBSAN_ARRAY_BOUNDS
  41. def_bool $(cc-option,-fsanitize=array-bounds)
  42. help
  43. Under Clang, the -fsanitize=bounds option is actually composed
  44. of two more specific options, -fsanitize=array-bounds and
  45. -fsanitize=local-bounds. However, -fsanitize=local-bounds can
  46. only be used when trap mode is enabled. (See also the help for
  47. CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
  48. so that we can build up the options needed for UBSAN_BOUNDS
  49. with or without UBSAN_TRAP.
  50. config UBSAN_BOUNDS
  51. bool "Perform array index bounds checking"
  52. default UBSAN
  53. depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
  54. help
  55. This option enables detection of directly indexed out of bounds
  56. array accesses, where the array size is known at compile time.
  57. Note that this does not protect array overflows via bad calls
  58. to the {str,mem}*cpy() family of functions (that is addressed
  59. by CONFIG_FORTIFY_SOURCE).
  60. config UBSAN_BOUNDS_STRICT
  61. def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
  62. help
  63. GCC's bounds sanitizer. This option is used to select the
  64. correct options in Makefile.ubsan.
  65. config UBSAN_ARRAY_BOUNDS
  66. def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
  67. help
  68. Clang's array bounds sanitizer. This option is used to select
  69. the correct options in Makefile.ubsan.
  70. config UBSAN_LOCAL_BOUNDS
  71. def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
  72. help
  73. This option enables Clang's -fsanitize=local-bounds which traps
  74. when an access through a pointer that is derived from an object
  75. of a statically-known size, where an added offset (which may not
  76. be known statically) is out-of-bounds. Since this option is
  77. trap-only, it depends on CONFIG_UBSAN_TRAP.
  78. config UBSAN_SHIFT
  79. bool "Perform checking for bit-shift overflows"
  80. depends on $(cc-option,-fsanitize=shift)
  81. help
  82. This option enables -fsanitize=shift which checks for bit-shift
  83. operations that overflow to the left or go switch to negative
  84. for signed types.
  85. config UBSAN_DIV_ZERO
  86. bool "Perform checking for integer divide-by-zero"
  87. depends on $(cc-option,-fsanitize=integer-divide-by-zero)
  88. # https://github.com/ClangBuiltLinux/linux/issues/1657
  89. # https://github.com/llvm/llvm-project/issues/56289
  90. depends on !CC_IS_CLANG
  91. help
  92. This option enables -fsanitize=integer-divide-by-zero which checks
  93. for integer division by zero. This is effectively redundant with the
  94. kernel's existing exception handling, though it can provide greater
  95. debugging information.
  96. config UBSAN_UNREACHABLE
  97. bool "Perform checking for unreachable code"
  98. # objtool already handles unreachable checking and gets angry about
  99. # seeing UBSan instrumentation located in unreachable places.
  100. depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
  101. depends on $(cc-option,-fsanitize=unreachable)
  102. help
  103. This option enables -fsanitize=unreachable which checks for control
  104. flow reaching an expected-to-be-unreachable position.
  105. config UBSAN_INTEGER_WRAP
  106. bool "Perform checking for integer arithmetic wrap-around"
  107. # This is very experimental so drop the next line if you really want it
  108. depends on BROKEN
  109. depends on !COMPILE_TEST
  110. depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all)
  111. depends on $(cc-option,-fsanitize=signed-integer-overflow)
  112. depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
  113. depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation)
  114. depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation)
  115. depends on $(cc-option,-fsanitize-ignorelist=/dev/null)
  116. help
  117. This option enables all of the sanitizers involved in integer overflow
  118. (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow,
  119. implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation.
  120. This is currently limited only to the size_t type while testing and
  121. compiler development continues.
  122. config UBSAN_BOOL
  123. bool "Perform checking for non-boolean values used as boolean"
  124. default UBSAN
  125. depends on $(cc-option,-fsanitize=bool)
  126. help
  127. This option enables -fsanitize=bool which checks for boolean values being
  128. loaded that are neither 0 nor 1.
  129. config UBSAN_ENUM
  130. bool "Perform checking for out of bounds enum values"
  131. default UBSAN
  132. depends on $(cc-option,-fsanitize=enum)
  133. help
  134. This option enables -fsanitize=enum which checks for values being loaded
  135. into an enum that are outside the range of given values for the given enum.
  136. config UBSAN_ALIGNMENT
  137. bool "Perform checking for misaligned pointer usage"
  138. default !HAVE_EFFICIENT_UNALIGNED_ACCESS
  139. depends on !UBSAN_TRAP && !COMPILE_TEST
  140. depends on $(cc-option,-fsanitize=alignment)
  141. help
  142. This option enables the check of unaligned memory accesses.
  143. Enabling this option on architectures that support unaligned
  144. accesses may produce a lot of false positives.
  145. config TEST_UBSAN
  146. tristate "Module for testing for undefined behavior detection"
  147. depends on m
  148. help
  149. This is a test module for UBSAN.
  150. It triggers various undefined behavior, and detect it.
  151. config UBSAN_KVM_EL2
  152. bool "UBSAN for KVM code at EL2"
  153. depends on ARM64
  154. help
  155. Enable UBSAN when running on ARM64 with KVM in a split mode
  156. (nvhe/hvhe/protected) for the hypervisor code running in EL2.
  157. In this mode, any UBSAN violation in EL2 would panic the kernel
  158. and information similar to UBSAN_TRAP would be printed.
  159. endif # if UBSAN