1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2c6d30853SAndrey Ryabininconfig ARCH_HAS_UBSAN_SANITIZE_ALL 3c6d30853SAndrey Ryabinin bool 4c6d30853SAndrey Ryabinin 5277a1085SKees Cookmenuconfig UBSAN 6c6d30853SAndrey Ryabinin bool "Undefined behaviour sanity checker" 7c6d30853SAndrey Ryabinin help 80887a7ebSKees Cook This option enables the Undefined Behaviour sanity checker. 9c6d30853SAndrey Ryabinin Compile-time instrumentation is used to detect various undefined 100887a7ebSKees Cook behaviours at runtime. For more details, see: 110887a7ebSKees Cook Documentation/dev-tools/ubsan.rst 120887a7ebSKees Cook 13277a1085SKees Cookif UBSAN 14277a1085SKees Cook 150887a7ebSKees Cookconfig UBSAN_TRAP 16ce661672SJann Horn bool "Abort on Sanitizer warnings (smaller kernel but less verbose)" 1779791378SKees Cook depends on !COMPILE_TEST 180887a7ebSKees Cook help 190887a7ebSKees Cook Building kernels with Sanitizer features enabled tends to grow 200887a7ebSKees Cook the kernel size by around 5%, due to adding all the debugging 210887a7ebSKees Cook text on failure paths. To avoid this, Sanitizer instrumentation 220887a7ebSKees Cook can just issue a trap. This reduces the kernel size overhead but 230887a7ebSKees Cook turns all warnings (including potentially harmless conditions) 240887a7ebSKees Cook into full exceptions that abort the running kernel code 250887a7ebSKees Cook (regardless of context, locks held, etc), which may destabilize 260887a7ebSKees Cook the system. For some system builders this is an acceptable 270887a7ebSKees Cook trade-off. 28c6d30853SAndrey Ryabinin 29ce661672SJann Horn Also note that selecting Y will cause your kernel to Oops 30ce661672SJann Horn with an "illegal instruction" error with no further details 31*86ee1845SGatlin Newhouse when a UBSAN violation occurs. (Except on arm64 and x86, which 32*86ee1845SGatlin Newhouse will report which Sanitizer failed.) This may make it hard to 33ce661672SJann Horn determine whether an Oops was caused by UBSAN or to figure 34ce661672SJann Horn out the details of a UBSAN violation. It makes the kernel log 35ce661672SJann Horn output less useful for bug reports. 36ce661672SJann Horn 372d47c695SKees Cookconfig CC_HAS_UBSAN_BOUNDS_STRICT 382d47c695SKees Cook def_bool $(cc-option,-fsanitize=bounds-strict) 392d47c695SKees Cook help 402d47c695SKees Cook The -fsanitize=bounds-strict option is only available on GCC, 412d47c695SKees Cook but uses the more strict handling of arrays that includes knowledge 422d47c695SKees Cook of flexible arrays, which is comparable to Clang's regular 432d47c695SKees Cook -fsanitize=bounds. 44cdf8a76fSKees Cook 45cdf8a76fSKees Cookconfig CC_HAS_UBSAN_ARRAY_BOUNDS 46cdf8a76fSKees Cook def_bool $(cc-option,-fsanitize=array-bounds) 472d47c695SKees Cook help 482d47c695SKees Cook Under Clang, the -fsanitize=bounds option is actually composed 492d47c695SKees Cook of two more specific options, -fsanitize=array-bounds and 502d47c695SKees Cook -fsanitize=local-bounds. However, -fsanitize=local-bounds can 512d47c695SKees Cook only be used when trap mode is enabled. (See also the help for 522d47c695SKees Cook CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds 532d47c695SKees Cook so that we can build up the options needed for UBSAN_BOUNDS 542d47c695SKees Cook with or without UBSAN_TRAP. 55cdf8a76fSKees Cook 56277a1085SKees Cookconfig UBSAN_BOUNDS 57277a1085SKees Cook bool "Perform array index bounds checking" 58277a1085SKees Cook default UBSAN 592d47c695SKees Cook depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT 60277a1085SKees Cook help 61277a1085SKees Cook This option enables detection of directly indexed out of bounds 62277a1085SKees Cook array accesses, where the array size is known at compile time. 63277a1085SKees Cook Note that this does not protect array overflows via bad calls 64277a1085SKees Cook to the {str,mem}*cpy() family of functions (that is addressed 65277a1085SKees Cook by CONFIG_FORTIFY_SOURCE). 66277a1085SKees Cook 672d47c695SKees Cookconfig UBSAN_BOUNDS_STRICT 682d47c695SKees Cook def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT 69cdf8a76fSKees Cook help 702d47c695SKees Cook GCC's bounds sanitizer. This option is used to select the 712d47c695SKees Cook correct options in Makefile.ubsan. 72cdf8a76fSKees Cook 73cdf8a76fSKees Cookconfig UBSAN_ARRAY_BOUNDS 742d47c695SKees Cook def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS 752d47c695SKees Cook help 762d47c695SKees Cook Clang's array bounds sanitizer. This option is used to select 772d47c695SKees Cook the correct options in Makefile.ubsan. 78cdf8a76fSKees Cook 796a6155f6SGeorge Popescuconfig UBSAN_LOCAL_BOUNDS 802d47c695SKees Cook def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP 816a6155f6SGeorge Popescu help 822d47c695SKees Cook This option enables Clang's -fsanitize=local-bounds which traps 832d47c695SKees Cook when an access through a pointer that is derived from an object 842d47c695SKees Cook of a statically-known size, where an added offset (which may not 852d47c695SKees Cook be known statically) is out-of-bounds. Since this option is 862d47c695SKees Cook trap-only, it depends on CONFIG_UBSAN_TRAP. 876a6155f6SGeorge Popescu 88cdf8a76fSKees Cookconfig UBSAN_SHIFT 89c637693bSKees Cook bool "Perform checking for bit-shift overflows" 90c637693bSKees Cook default UBSAN 91cdf8a76fSKees Cook depends on $(cc-option,-fsanitize=shift) 92c637693bSKees Cook help 93c637693bSKees Cook This option enables -fsanitize=shift which checks for bit-shift 94c637693bSKees Cook operations that overflow to the left or go switch to negative 95c637693bSKees Cook for signed types. 96cdf8a76fSKees Cook 97cdf8a76fSKees Cookconfig UBSAN_DIV_ZERO 98c637693bSKees Cook bool "Perform checking for integer divide-by-zero" 99cdf8a76fSKees Cook depends on $(cc-option,-fsanitize=integer-divide-by-zero) 100e5d523f1SNick Desaulniers # https://github.com/ClangBuiltLinux/linux/issues/1657 101e5d523f1SNick Desaulniers # https://github.com/llvm/llvm-project/issues/56289 102e5d523f1SNick Desaulniers depends on !CC_IS_CLANG 103c637693bSKees Cook help 104c637693bSKees Cook This option enables -fsanitize=integer-divide-by-zero which checks 105c637693bSKees Cook for integer division by zero. This is effectively redundant with the 106c637693bSKees Cook kernel's existing exception handling, though it can provide greater 107c637693bSKees Cook debugging information under CONFIG_UBSAN_REPORT_FULL. 108cdf8a76fSKees Cook 109cdf8a76fSKees Cookconfig UBSAN_UNREACHABLE 110c637693bSKees Cook bool "Perform checking for unreachable code" 111c637693bSKees Cook # objtool already handles unreachable checking and gets angry about 112c637693bSKees Cook # seeing UBSan instrumentation located in unreachable places. 113c2f75a43SJosh Poimboeuf depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION)) 114cdf8a76fSKees Cook depends on $(cc-option,-fsanitize=unreachable) 115c637693bSKees Cook help 116c637693bSKees Cook This option enables -fsanitize=unreachable which checks for control 117c637693bSKees Cook flow reaching an expected-to-be-unreachable position. 118cdf8a76fSKees Cook 119cdf8a76fSKees Cookconfig UBSAN_BOOL 120c637693bSKees Cook bool "Perform checking for non-boolean values used as boolean" 121c637693bSKees Cook default UBSAN 122cdf8a76fSKees Cook depends on $(cc-option,-fsanitize=bool) 123c637693bSKees Cook help 124c637693bSKees Cook This option enables -fsanitize=bool which checks for boolean values being 125c637693bSKees Cook loaded that are neither 0 nor 1. 126cdf8a76fSKees Cook 127cdf8a76fSKees Cookconfig UBSAN_ENUM 128c637693bSKees Cook bool "Perform checking for out of bounds enum values" 129c637693bSKees Cook default UBSAN 130cdf8a76fSKees Cook depends on $(cc-option,-fsanitize=enum) 131c637693bSKees Cook help 132c637693bSKees Cook This option enables -fsanitize=enum which checks for values being loaded 133c637693bSKees Cook into an enum that are outside the range of given values for the given enum. 134c637693bSKees Cook 135c637693bSKees Cookconfig UBSAN_ALIGNMENT 136c637693bSKees Cook bool "Perform checking for misaligned pointer usage" 137c637693bSKees Cook default !HAVE_EFFICIENT_UNALIGNED_ACCESS 138c637693bSKees Cook depends on !UBSAN_TRAP && !COMPILE_TEST 139c637693bSKees Cook depends on $(cc-option,-fsanitize=alignment) 140c637693bSKees Cook help 141c637693bSKees Cook This option enables the check of unaligned memory accesses. 142c637693bSKees Cook Enabling this option on architectures that support unaligned 143c637693bSKees Cook accesses may produce a lot of false positives. 144cdf8a76fSKees Cook 145c6d30853SAndrey Ryabininconfig UBSAN_SANITIZE_ALL 146c6d30853SAndrey Ryabinin bool "Enable instrumentation for the entire kernel" 147c6d30853SAndrey Ryabinin depends on ARCH_HAS_UBSAN_SANITIZE_ALL 148c6d30853SAndrey Ryabinin default y 149c6d30853SAndrey Ryabinin help 150c6d30853SAndrey Ryabinin This option activates instrumentation for the entire kernel. 151c6d30853SAndrey Ryabinin If you don't enable this option, you have to explicitly specify 152c6d30853SAndrey Ryabinin UBSAN_SANITIZE := y for the files/directories you want to check for UB. 1537707535aSYang Shi Enabling this option will get kernel image size increased 1547707535aSYang Shi significantly. 155c6d30853SAndrey Ryabinin 156854686f4SJinbum Parkconfig TEST_UBSAN 157854686f4SJinbum Park tristate "Module for testing for undefined behavior detection" 158277a1085SKees Cook depends on m 159854686f4SJinbum Park help 160854686f4SJinbum Park This is a test module for UBSAN. 161854686f4SJinbum Park It triggers various undefined behavior, and detect it. 162277a1085SKees Cook 163277a1085SKees Cookendif # if UBSAN 164