| # SPDX-License-Identifier: GPL-2.0-only |
| config ARCH_HAS_UBSAN_SANITIZE_ALL |
| bool |
| |
| menuconfig UBSAN |
| bool "Undefined behaviour sanity checker" |
| help |
| This option enables the Undefined Behaviour sanity checker. |
| Compile-time instrumentation is used to detect various undefined |
| behaviours at runtime. For more details, see: |
| Documentation/dev-tools/ubsan.rst |
| |
| if UBSAN |
| |
| config UBSAN_TRAP |
| bool "On Sanitizer warnings, abort the running kernel code" |
| depends on !COMPILE_TEST |
| depends on $(cc-option, -fsanitize-undefined-trap-on-error) |
| help |
| Building kernels with Sanitizer features enabled tends to grow |
| the kernel size by around 5%, due to adding all the debugging |
| text on failure paths. To avoid this, Sanitizer instrumentation |
| can just issue a trap. This reduces the kernel size overhead but |
| turns all warnings (including potentially harmless conditions) |
| into full exceptions that abort the running kernel code |
| (regardless of context, locks held, etc), which may destabilize |
| the system. For some system builders this is an acceptable |
| trade-off. |
| |
| config UBSAN_KCOV_BROKEN |
| def_bool KCOV && CC_HAS_SANCOV_TRACE_PC |
| depends on CC_IS_CLANG |
| depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc) |
| help |
| Some versions of clang support either UBSAN or KCOV but not the |
| combination of the two. |
| See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status |
| in newer releases. |
| |
| config CC_HAS_UBSAN_BOUNDS |
| def_bool $(cc-option,-fsanitize=bounds) |
| |
| config CC_HAS_UBSAN_ARRAY_BOUNDS |
| def_bool $(cc-option,-fsanitize=array-bounds) |
| |
| config UBSAN_BOUNDS |
| bool "Perform array index bounds checking" |
| default UBSAN |
| depends on !UBSAN_KCOV_BROKEN |
| depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS |
| help |
| This option enables detection of directly indexed out of bounds |
| array accesses, where the array size is known at compile time. |
| Note that this does not protect array overflows via bad calls |
| to the {str,mem}*cpy() family of functions (that is addressed |
| by CONFIG_FORTIFY_SOURCE). |
| |
| config UBSAN_ONLY_BOUNDS |
| def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS |
| depends on UBSAN_BOUNDS |
| help |
| This is a weird case: Clang's -fsanitize=bounds includes |
| -fsanitize=local-bounds, but it's trapping-only, so for |
| Clang, we must use -fsanitize=array-bounds when we want |
| traditional array bounds checking enabled. For GCC, we |
| want -fsanitize=bounds. |
| |
| config UBSAN_ARRAY_BOUNDS |
| def_bool CC_HAS_UBSAN_ARRAY_BOUNDS |
| depends on UBSAN_BOUNDS |
| |
| config UBSAN_LOCAL_BOUNDS |
| bool "Perform array local bounds checking" |
| depends on UBSAN_TRAP |
| depends on !UBSAN_KCOV_BROKEN |
| depends on $(cc-option,-fsanitize=local-bounds) |
| help |
| This option enables -fsanitize=local-bounds which traps when an |
| exception/error is detected. Therefore, it may only be enabled |
| with CONFIG_UBSAN_TRAP. |
| |
| Enabling this option detects errors due to accesses through a |
| pointer that is derived from an object of a statically-known size, |
| where an added offset (which may not be known statically) is |
| out-of-bounds. |
| |
| config UBSAN_SHIFT |
| bool "Perform checking for bit-shift overflows" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=shift) |
| help |
| This option enables -fsanitize=shift which checks for bit-shift |
| operations that overflow to the left or go switch to negative |
| for signed types. |
| |
| config UBSAN_DIV_ZERO |
| bool "Perform checking for integer divide-by-zero" |
| depends on $(cc-option,-fsanitize=integer-divide-by-zero) |
| help |
| This option enables -fsanitize=integer-divide-by-zero which checks |
| for integer division by zero. This is effectively redundant with the |
| kernel's existing exception handling, though it can provide greater |
| debugging information under CONFIG_UBSAN_REPORT_FULL. |
| |
| config UBSAN_UNREACHABLE |
| bool "Perform checking for unreachable code" |
| # objtool already handles unreachable checking and gets angry about |
| # seeing UBSan instrumentation located in unreachable places. |
| depends on !STACK_VALIDATION |
| depends on $(cc-option,-fsanitize=unreachable) |
| help |
| This option enables -fsanitize=unreachable which checks for control |
| flow reaching an expected-to-be-unreachable position. |
| |
| config UBSAN_SIGNED_OVERFLOW |
| bool "Perform checking for signed arithmetic overflow" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=signed-integer-overflow) |
| help |
| This option enables -fsanitize=signed-integer-overflow which checks |
| for overflow of any arithmetic operations with signed integers. |
| |
| config UBSAN_UNSIGNED_OVERFLOW |
| bool "Perform checking for unsigned arithmetic overflow" |
| depends on $(cc-option,-fsanitize=unsigned-integer-overflow) |
| depends on !X86_32 # avoid excessive stack usage on x86-32/clang |
| help |
| This option enables -fsanitize=unsigned-integer-overflow which checks |
| for overflow of any arithmetic operations with unsigned integers. This |
| currently causes x86 to fail to boot. |
| |
| config UBSAN_OBJECT_SIZE |
| bool "Perform checking for accesses beyond the end of objects" |
| default UBSAN |
| # gcc hugely expands stack usage with -fsanitize=object-size |
| # https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/ |
| depends on !CC_IS_GCC |
| depends on $(cc-option,-fsanitize=object-size) |
| help |
| This option enables -fsanitize=object-size which checks for accesses |
| beyond the end of objects where the optimizer can determine both the |
| object being operated on and its size, usually seen with bad downcasts, |
| or access to struct members from NULL pointers. |
| |
| config UBSAN_BOOL |
| bool "Perform checking for non-boolean values used as boolean" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=bool) |
| help |
| This option enables -fsanitize=bool which checks for boolean values being |
| loaded that are neither 0 nor 1. |
| |
| config UBSAN_ENUM |
| bool "Perform checking for out of bounds enum values" |
| default UBSAN |
| depends on $(cc-option,-fsanitize=enum) |
| help |
| This option enables -fsanitize=enum which checks for values being loaded |
| into an enum that are outside the range of given values for the given enum. |
| |
| config UBSAN_ALIGNMENT |
| bool "Perform checking for misaligned pointer usage" |
| default !HAVE_EFFICIENT_UNALIGNED_ACCESS |
| depends on !UBSAN_TRAP && !COMPILE_TEST |
| depends on $(cc-option,-fsanitize=alignment) |
| help |
| This option enables the check of unaligned memory accesses. |
| Enabling this option on architectures that support unaligned |
| accesses may produce a lot of false positives. |
| |
| config UBSAN_SANITIZE_ALL |
| bool "Enable instrumentation for the entire kernel" |
| depends on ARCH_HAS_UBSAN_SANITIZE_ALL |
| default y |
| help |
| This option activates instrumentation for the entire kernel. |
| If you don't enable this option, you have to explicitly specify |
| UBSAN_SANITIZE := y for the files/directories you want to check for UB. |
| Enabling this option will get kernel image size increased |
| significantly. |
| |
| config TEST_UBSAN |
| tristate "Module for testing for undefined behavior detection" |
| depends on m |
| help |
| This is a test module for UBSAN. |
| It triggers various undefined behavior, and detect it. |
| |
| endif # if UBSAN |