lib/Kconfig.ubsan at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / lib / Kconfig.ubsan
at master 179 lines 7.2 kB view raw
  1# SPDX-License-Identifier: GPL-2.0-only
  2config ARCH_HAS_UBSAN
  3	bool
  4
  5menuconfig UBSAN
  6	bool "Undefined behaviour sanity checker"
  7	depends on ARCH_HAS_UBSAN
  8	help
  9	  This option enables the Undefined Behaviour sanity checker.
 10	  Compile-time instrumentation is used to detect various undefined
 11	  behaviours at runtime. For more details, see:
 12	  Documentation/dev-tools/ubsan.rst
 13
 14if UBSAN
 15
 16config UBSAN_TRAP
 17	bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
 18	depends on !COMPILE_TEST
 19	help
 20	  Building kernels with Sanitizer features enabled tends to grow
 21	  the kernel size by around 5%, due to adding all the debugging
 22	  text on failure paths. To avoid this, Sanitizer instrumentation
 23	  can just issue a trap. This reduces the kernel size overhead but
 24	  turns all warnings (including potentially harmless conditions)
 25	  into full exceptions that abort the running kernel code
 26	  (regardless of context, locks held, etc), which may destabilize
 27	  the system. For some system builders this is an acceptable
 28	  trade-off.
 29
 30	  Also note that selecting Y will cause your kernel to Oops
 31	  with an "illegal instruction" error with no further details
 32	  when a UBSAN violation occurs. (Except on arm64 and x86, which
 33	  will report which Sanitizer failed.) This may make it hard to
 34	  determine whether an Oops was caused by UBSAN or to figure
 35	  out the details of a UBSAN violation. It makes the kernel log
 36	  output less useful for bug reports.
 37
 38config CC_HAS_UBSAN_BOUNDS_STRICT
 39	def_bool $(cc-option,-fsanitize=bounds-strict)
 40	help
 41	  The -fsanitize=bounds-strict option is only available on GCC,
 42	  but uses the more strict handling of arrays that includes knowledge
 43	  of flexible arrays, which is comparable to Clang's regular
 44	  -fsanitize=bounds.
 45
 46config CC_HAS_UBSAN_ARRAY_BOUNDS
 47	def_bool $(cc-option,-fsanitize=array-bounds)
 48	help
 49	  Under Clang, the -fsanitize=bounds option is actually composed
 50	  of two more specific options, -fsanitize=array-bounds and
 51	  -fsanitize=local-bounds. However, -fsanitize=local-bounds can
 52	  only be used when trap mode is enabled. (See also the help for
 53	  CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
 54	  so that we can build up the options needed for UBSAN_BOUNDS
 55	  with or without UBSAN_TRAP.
 56
 57config UBSAN_BOUNDS
 58	bool "Perform array index bounds checking"
 59	default UBSAN
 60	depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
 61	help
 62	  This option enables detection of directly indexed out of bounds
 63	  array accesses, where the array size is known at compile time.
 64	  Note that this does not protect array overflows via bad calls
 65	  to the {str,mem}*cpy() family of functions (that is addressed
 66	  by CONFIG_FORTIFY_SOURCE).
 67
 68config UBSAN_BOUNDS_STRICT
 69	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
 70	help
 71	  GCC's bounds sanitizer. This option is used to select the
 72	  correct options in Makefile.ubsan.
 73
 74config UBSAN_ARRAY_BOUNDS
 75	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
 76	help
 77	  Clang's array bounds sanitizer. This option is used to select
 78	  the correct options in Makefile.ubsan.
 79
 80config UBSAN_LOCAL_BOUNDS
 81	def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
 82	help
 83	  This option enables Clang's -fsanitize=local-bounds which traps
 84	  when an access through a pointer that is derived from an object
 85	  of a statically-known size, where an added offset (which may not
 86	  be known statically) is out-of-bounds. Since this option is
 87	  trap-only, it depends on CONFIG_UBSAN_TRAP.
 88
 89config UBSAN_SHIFT
 90	bool "Perform checking for bit-shift overflows"
 91	depends on $(cc-option,-fsanitize=shift)
 92	help
 93	  This option enables -fsanitize=shift which checks for bit-shift
 94	  operations that overflow to the left or go switch to negative
 95	  for signed types.
 96
 97config UBSAN_DIV_ZERO
 98	bool "Perform checking for integer divide-by-zero"
 99	depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100	# https://github.com/ClangBuiltLinux/linux/issues/1657
101	# https://github.com/llvm/llvm-project/issues/56289
102	depends on !CC_IS_CLANG
103	help
104	  This option enables -fsanitize=integer-divide-by-zero which checks
105	  for integer division by zero. This is effectively redundant with the
106	  kernel's existing exception handling, though it can provide greater
107	  debugging information under CONFIG_UBSAN_REPORT_FULL.
108
109config UBSAN_UNREACHABLE
110	bool "Perform checking for unreachable code"
111	# objtool already handles unreachable checking and gets angry about
112	# seeing UBSan instrumentation located in unreachable places.
113	depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114	depends on $(cc-option,-fsanitize=unreachable)
115	help
116	  This option enables -fsanitize=unreachable which checks for control
117	  flow reaching an expected-to-be-unreachable position.
118
119config UBSAN_INTEGER_WRAP
120	bool "Perform checking for integer arithmetic wrap-around"
121	# This is very experimental so drop the next line if you really want it
122	depends on BROKEN
123	depends on !COMPILE_TEST
124	depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all)
125	depends on $(cc-option,-fsanitize=signed-integer-overflow)
126	depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
127	depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation)
128	depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation)
129	depends on $(cc-option,-fsanitize-ignorelist=/dev/null)
130	help
131	  This option enables all of the sanitizers involved in integer overflow
132	  (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow,
133	  implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation.
134	  This is currently limited only to the size_t type while testing and
135	  compiler development continues.
136
137config UBSAN_BOOL
138	bool "Perform checking for non-boolean values used as boolean"
139	default UBSAN
140	depends on $(cc-option,-fsanitize=bool)
141	help
142	  This option enables -fsanitize=bool which checks for boolean values being
143	  loaded that are neither 0 nor 1.
144
145config UBSAN_ENUM
146	bool "Perform checking for out of bounds enum values"
147	default UBSAN
148	depends on $(cc-option,-fsanitize=enum)
149	help
150	  This option enables -fsanitize=enum which checks for values being loaded
151	  into an enum that are outside the range of given values for the given enum.
152
153config UBSAN_ALIGNMENT
154	bool "Perform checking for misaligned pointer usage"
155	default !HAVE_EFFICIENT_UNALIGNED_ACCESS
156	depends on !UBSAN_TRAP && !COMPILE_TEST
157	depends on $(cc-option,-fsanitize=alignment)
158	help
159	  This option enables the check of unaligned memory accesses.
160	  Enabling this option on architectures that support unaligned
161	  accesses may produce a lot of false positives.
162
163config TEST_UBSAN
164	tristate "Module for testing for undefined behavior detection"
165	depends on m
166	help
167	  This is a test module for UBSAN.
168	  It triggers various undefined behavior, and detect it.
169
170config UBSAN_KVM_EL2
171	bool "UBSAN for KVM code at EL2"
172	depends on ARM64
173	help
174	  Enable UBSAN when running on ARM64 with KVM in a split mode
175	  (nvhe/hvhe/protected) for the hypervisor code running in EL2.
176	  In this mode, any UBSAN violation in EL2 would panic the kernel
177	  and information similar to UBSAN_TRAP would be printed.
178
179endif	# if UBSAN