| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 |
- # SPDX-License-Identifier: GPL-2.0-only
- config ARCH_HAS_UBSAN
- bool
- menuconfig UBSAN
- bool "Undefined behaviour sanity checker"
- depends on ARCH_HAS_UBSAN
- help
- This option enables the Undefined Behaviour sanity checker.
- Compile-time instrumentation is used to detect various undefined
- behaviours at runtime. For more details, see:
- Documentation/dev-tools/ubsan.rst
- if UBSAN
- config UBSAN_TRAP
- bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
- depends on !COMPILE_TEST
- help
- Building kernels with Sanitizer features enabled tends to grow
- the kernel size by around 5%, due to adding all the debugging
- text on failure paths. To avoid this, Sanitizer instrumentation
- can just issue a trap. This reduces the kernel size overhead but
- turns all warnings (including potentially harmless conditions)
- into full exceptions that abort the running kernel code
- (regardless of context, locks held, etc), which may destabilize
- the system. For some system builders this is an acceptable
- trade-off.
- Also note that selecting Y will cause your kernel to Oops
- with an "illegal instruction" error with no further details
- when a UBSAN violation occurs. (Except on arm64 and x86, which
- will report which Sanitizer failed.) This may make it hard to
- determine whether an Oops was caused by UBSAN or to figure
- out the details of a UBSAN violation. It makes the kernel log
- output less useful for bug reports.
- config CC_HAS_UBSAN_BOUNDS_STRICT
- def_bool $(cc-option,-fsanitize=bounds-strict)
- help
- The -fsanitize=bounds-strict option is only available on GCC,
- but uses the more strict handling of arrays that includes knowledge
- of flexible arrays, which is comparable to Clang's regular
- -fsanitize=bounds.
- config CC_HAS_UBSAN_ARRAY_BOUNDS
- def_bool $(cc-option,-fsanitize=array-bounds)
- help
- Under Clang, the -fsanitize=bounds option is actually composed
- of two more specific options, -fsanitize=array-bounds and
- -fsanitize=local-bounds. However, -fsanitize=local-bounds can
- only be used when trap mode is enabled. (See also the help for
- CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
- so that we can build up the options needed for UBSAN_BOUNDS
- with or without UBSAN_TRAP.
- config UBSAN_BOUNDS
- bool "Perform array index bounds checking"
- default UBSAN
- depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
- help
- This option enables detection of directly indexed out of bounds
- array accesses, where the array size is known at compile time.
- Note that this does not protect array overflows via bad calls
- to the {str,mem}*cpy() family of functions (that is addressed
- by CONFIG_FORTIFY_SOURCE).
- config UBSAN_BOUNDS_STRICT
- def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
- help
- GCC's bounds sanitizer. This option is used to select the
- correct options in Makefile.ubsan.
- config UBSAN_ARRAY_BOUNDS
- def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
- help
- Clang's array bounds sanitizer. This option is used to select
- the correct options in Makefile.ubsan.
- config UBSAN_LOCAL_BOUNDS
- def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
- help
- This option enables Clang's -fsanitize=local-bounds which traps
- when an access through a pointer that is derived from an object
- of a statically-known size, where an added offset (which may not
- be known statically) is out-of-bounds. Since this option is
- trap-only, it depends on CONFIG_UBSAN_TRAP.
- config UBSAN_SHIFT
- bool "Perform checking for bit-shift overflows"
- depends on $(cc-option,-fsanitize=shift)
- help
- This option enables -fsanitize=shift which checks for bit-shift
- operations that overflow to the left or go switch to negative
- for signed types.
- config UBSAN_DIV_ZERO
- bool "Perform checking for integer divide-by-zero"
- depends on $(cc-option,-fsanitize=integer-divide-by-zero)
- # https://github.com/ClangBuiltLinux/linux/issues/1657
- # https://github.com/llvm/llvm-project/issues/56289
- depends on !CC_IS_CLANG
- help
- This option enables -fsanitize=integer-divide-by-zero which checks
- for integer division by zero. This is effectively redundant with the
- kernel's existing exception handling, though it can provide greater
- debugging information.
- config UBSAN_UNREACHABLE
- bool "Perform checking for unreachable code"
- # objtool already handles unreachable checking and gets angry about
- # seeing UBSan instrumentation located in unreachable places.
- depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
- depends on $(cc-option,-fsanitize=unreachable)
- help
- This option enables -fsanitize=unreachable which checks for control
- flow reaching an expected-to-be-unreachable position.
- config UBSAN_INTEGER_WRAP
- bool "Perform checking for integer arithmetic wrap-around"
- # This is very experimental so drop the next line if you really want it
- depends on BROKEN
- depends on !COMPILE_TEST
- depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all)
- depends on $(cc-option,-fsanitize=signed-integer-overflow)
- depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
- depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation)
- depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation)
- depends on $(cc-option,-fsanitize-ignorelist=/dev/null)
- help
- This option enables all of the sanitizers involved in integer overflow
- (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow,
- implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation.
- This is currently limited only to the size_t type while testing and
- compiler development continues.
- config UBSAN_BOOL
- bool "Perform checking for non-boolean values used as boolean"
- default UBSAN
- depends on $(cc-option,-fsanitize=bool)
- help
- This option enables -fsanitize=bool which checks for boolean values being
- loaded that are neither 0 nor 1.
- config UBSAN_ENUM
- bool "Perform checking for out of bounds enum values"
- default UBSAN
- depends on $(cc-option,-fsanitize=enum)
- help
- This option enables -fsanitize=enum which checks for values being loaded
- into an enum that are outside the range of given values for the given enum.
- config UBSAN_ALIGNMENT
- bool "Perform checking for misaligned pointer usage"
- default !HAVE_EFFICIENT_UNALIGNED_ACCESS
- depends on !UBSAN_TRAP && !COMPILE_TEST
- depends on $(cc-option,-fsanitize=alignment)
- help
- This option enables the check of unaligned memory accesses.
- Enabling this option on architectures that support unaligned
- accesses may produce a lot of false positives.
- config TEST_UBSAN
- tristate "Module for testing for undefined behavior detection"
- depends on m
- help
- This is a test module for UBSAN.
- It triggers various undefined behavior, and detect it.
- config UBSAN_KVM_EL2
- bool "UBSAN for KVM code at EL2"
- depends on ARM64
- help
- Enable UBSAN when running on ARM64 with KVM in a split mode
- (nvhe/hvhe/protected) for the hypervisor code running in EL2.
- In this mode, any UBSAN violation in EL2 would panic the kernel
- and information similar to UBSAN_TRAP would be printed.
- endif # if UBSAN
|