summaryrefslogtreecommitdiff
path: root/lib/Kconfig.ubsan
diff options
context:
space:
mode:
Diffstat (limited to 'lib/Kconfig.ubsan')
-rw-r--r--lib/Kconfig.ubsan128
1 files changed, 106 insertions, 22 deletions
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 58f8d03d037b..8b635fd75fe4 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -14,6 +14,7 @@ if UBSAN
config UBSAN_TRAP
bool "On Sanitizer warnings, abort the running kernel code"
+ depends on !COMPILE_TEST
depends on $(cc-option, -fsanitize-undefined-trap-on-error)
help
Building kernels with Sanitizer features enabled tends to grow
@@ -36,10 +37,17 @@ config UBSAN_KCOV_BROKEN
See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
in newer releases.
+config CC_HAS_UBSAN_BOUNDS
+ def_bool $(cc-option,-fsanitize=bounds)
+
+config CC_HAS_UBSAN_ARRAY_BOUNDS
+ def_bool $(cc-option,-fsanitize=array-bounds)
+
config UBSAN_BOUNDS
bool "Perform array index bounds checking"
default UBSAN
depends on !UBSAN_KCOV_BROKEN
+ depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
help
This option enables detection of directly indexed out of bounds
array accesses, where the array size is known at compile time.
@@ -47,36 +55,121 @@ config UBSAN_BOUNDS
to the {str,mem}*cpy() family of functions (that is addressed
by CONFIG_FORTIFY_SOURCE).
+config UBSAN_ONLY_BOUNDS
+ def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
+ depends on UBSAN_BOUNDS
+ help
+ This is a weird case: Clang's -fsanitize=bounds includes
+ -fsanitize=local-bounds, but it's trapping-only, so for
+ Clang, we must use -fsanitize=array-bounds when we want
+ traditional array bounds checking enabled. For GCC, we
+ want -fsanitize=bounds.
+
+config UBSAN_ARRAY_BOUNDS
+ def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
+ depends on UBSAN_BOUNDS
+
config UBSAN_LOCAL_BOUNDS
bool "Perform array local bounds checking"
depends on UBSAN_TRAP
- depends on CC_IS_CLANG
depends on !UBSAN_KCOV_BROKEN
+ depends on $(cc-option,-fsanitize=local-bounds)
help
This option enables -fsanitize=local-bounds which traps when an
- exception/error is detected. Therefore, it should be enabled only
- if trapping is expected.
+ exception/error is detected. Therefore, it may only be enabled
+ with CONFIG_UBSAN_TRAP.
+
Enabling this option detects errors due to accesses through a
pointer that is derived from an object of a statically-known size,
where an added offset (which may not be known statically) is
out-of-bounds.
-config UBSAN_MISC
- bool "Enable all other Undefined Behavior sanity checks"
+config UBSAN_SHIFT
+ bool "Perform checking for bit-shift overflows"
+ default UBSAN
+ depends on $(cc-option,-fsanitize=shift)
+ help
+ This option enables -fsanitize=shift which checks for bit-shift
+ operations that overflow to the left or go switch to negative
+ for signed types.
+
+config UBSAN_DIV_ZERO
+ bool "Perform checking for integer divide-by-zero"
+ depends on $(cc-option,-fsanitize=integer-divide-by-zero)
+ help
+ This option enables -fsanitize=integer-divide-by-zero which checks
+ for integer division by zero. This is effectively redundant with the
+ kernel's existing exception handling, though it can provide greater
+ debugging information under CONFIG_UBSAN_REPORT_FULL.
+
+config UBSAN_UNREACHABLE
+ bool "Perform checking for unreachable code"
+ # objtool already handles unreachable checking and gets angry about
+ # seeing UBSan instrumentation located in unreachable places.
+ depends on !STACK_VALIDATION
+ depends on $(cc-option,-fsanitize=unreachable)
+ help
+ This option enables -fsanitize=unreachable which checks for control
+ flow reaching an expected-to-be-unreachable position.
+
+config UBSAN_SIGNED_OVERFLOW
+ bool "Perform checking for signed arithmetic overflow"
+ default UBSAN
+ depends on $(cc-option,-fsanitize=signed-integer-overflow)
+ help
+ This option enables -fsanitize=signed-integer-overflow which checks
+ for overflow of any arithmetic operations with signed integers.
+
+config UBSAN_UNSIGNED_OVERFLOW
+ bool "Perform checking for unsigned arithmetic overflow"
+ depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
+ help
+ This option enables -fsanitize=unsigned-integer-overflow which checks
+ for overflow of any arithmetic operations with unsigned integers. This
+ currently causes x86 to fail to boot.
+
+config UBSAN_OBJECT_SIZE
+ bool "Perform checking for accesses beyond the end of objects"
+ default UBSAN
+ # gcc hugely expands stack usage with -fsanitize=object-size
+ # https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
+ depends on !CC_IS_GCC
+ depends on $(cc-option,-fsanitize=object-size)
+ help
+ This option enables -fsanitize=object-size which checks for accesses
+ beyond the end of objects where the optimizer can determine both the
+ object being operated on and its size, usually seen with bad downcasts,
+ or access to struct members from NULL pointers.
+
+config UBSAN_BOOL
+ bool "Perform checking for non-boolean values used as boolean"
+ default UBSAN
+ depends on $(cc-option,-fsanitize=bool)
+ help
+ This option enables -fsanitize=bool which checks for boolean values being
+ loaded that are neither 0 nor 1.
+
+config UBSAN_ENUM
+ bool "Perform checking for out of bounds enum values"
default UBSAN
+ depends on $(cc-option,-fsanitize=enum)
help
- This option enables all sanity checks that don't have their
- own Kconfig options. Disable this if you only want to have
- individually selected checks.
+ This option enables -fsanitize=enum which checks for values being loaded
+ into an enum that are outside the range of given values for the given enum.
+
+config UBSAN_ALIGNMENT
+ bool "Perform checking for misaligned pointer usage"
+ default !HAVE_EFFICIENT_UNALIGNED_ACCESS
+ depends on !UBSAN_TRAP && !COMPILE_TEST
+ depends on $(cc-option,-fsanitize=alignment)
+ help
+ This option enables the check of unaligned memory accesses.
+ Enabling this option on architectures that support unaligned
+ accesses may produce a lot of false positives.
config UBSAN_SANITIZE_ALL
bool "Enable instrumentation for the entire kernel"
depends on ARCH_HAS_UBSAN_SANITIZE_ALL
-
- # We build with -Wno-maybe-uninitilzed, but we still want to
- # use -Wmaybe-uninitilized in allmodconfig builds.
- # So dependsy bellow used to disable this option in allmodconfig
- depends on !COMPILE_TEST
default y
help
This option activates instrumentation for the entire kernel.
@@ -85,15 +178,6 @@ config UBSAN_SANITIZE_ALL
Enabling this option will get kernel image size increased
significantly.
-config UBSAN_ALIGNMENT
- bool "Enable checks for pointers alignment"
- default !HAVE_EFFICIENT_UNALIGNED_ACCESS
- depends on !UBSAN_TRAP
- help
- This option enables the check of unaligned memory accesses.
- Enabling this option on architectures that support unaligned
- accesses may produce a lot of false positives.
-
config TEST_UBSAN
tristate "Module for testing for undefined behavior detection"
depends on m