1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyunconfig ARCH_HAS_UBSAN_SANITIZE_ALL 3*4882a593Smuzhiyun bool 4*4882a593Smuzhiyun 5*4882a593Smuzhiyunmenuconfig UBSAN 6*4882a593Smuzhiyun bool "Undefined behaviour sanity checker" 7*4882a593Smuzhiyun help 8*4882a593Smuzhiyun This option enables the Undefined Behaviour sanity checker. 9*4882a593Smuzhiyun Compile-time instrumentation is used to detect various undefined 10*4882a593Smuzhiyun behaviours at runtime. For more details, see: 11*4882a593Smuzhiyun Documentation/dev-tools/ubsan.rst 12*4882a593Smuzhiyun 13*4882a593Smuzhiyunif UBSAN 14*4882a593Smuzhiyun 15*4882a593Smuzhiyunconfig UBSAN_TRAP 16*4882a593Smuzhiyun bool "On Sanitizer warnings, abort the running kernel code" 17*4882a593Smuzhiyun depends on !COMPILE_TEST 18*4882a593Smuzhiyun depends on $(cc-option, -fsanitize-undefined-trap-on-error) 19*4882a593Smuzhiyun help 20*4882a593Smuzhiyun Building kernels with Sanitizer features enabled tends to grow 21*4882a593Smuzhiyun the kernel size by around 5%, due to adding all the debugging 22*4882a593Smuzhiyun text on failure paths. To avoid this, Sanitizer instrumentation 23*4882a593Smuzhiyun can just issue a trap. This reduces the kernel size overhead but 24*4882a593Smuzhiyun turns all warnings (including potentially harmless conditions) 25*4882a593Smuzhiyun into full exceptions that abort the running kernel code 26*4882a593Smuzhiyun (regardless of context, locks held, etc), which may destabilize 27*4882a593Smuzhiyun the system. For some system builders this is an acceptable 28*4882a593Smuzhiyun trade-off. 29*4882a593Smuzhiyun 30*4882a593Smuzhiyunconfig UBSAN_KCOV_BROKEN 31*4882a593Smuzhiyun def_bool KCOV && CC_HAS_SANCOV_TRACE_PC 32*4882a593Smuzhiyun depends on CC_IS_CLANG 33*4882a593Smuzhiyun depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc) 34*4882a593Smuzhiyun help 35*4882a593Smuzhiyun Some versions of clang support either UBSAN or KCOV but not the 36*4882a593Smuzhiyun combination of the two. 37*4882a593Smuzhiyun See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status 38*4882a593Smuzhiyun in newer releases. 39*4882a593Smuzhiyun 40*4882a593Smuzhiyunconfig CC_HAS_UBSAN_BOUNDS 41*4882a593Smuzhiyun def_bool $(cc-option,-fsanitize=bounds) 42*4882a593Smuzhiyun 43*4882a593Smuzhiyunconfig CC_HAS_UBSAN_ARRAY_BOUNDS 44*4882a593Smuzhiyun def_bool $(cc-option,-fsanitize=array-bounds) 45*4882a593Smuzhiyun 46*4882a593Smuzhiyunconfig UBSAN_BOUNDS 47*4882a593Smuzhiyun bool "Perform array index bounds checking" 48*4882a593Smuzhiyun default UBSAN 49*4882a593Smuzhiyun depends on !UBSAN_KCOV_BROKEN 50*4882a593Smuzhiyun depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS 51*4882a593Smuzhiyun help 52*4882a593Smuzhiyun This option enables detection of directly indexed out of bounds 53*4882a593Smuzhiyun array accesses, where the array size is known at compile time. 54*4882a593Smuzhiyun Note that this does not protect array overflows via bad calls 55*4882a593Smuzhiyun to the {str,mem}*cpy() family of functions (that is addressed 56*4882a593Smuzhiyun by CONFIG_FORTIFY_SOURCE). 57*4882a593Smuzhiyun 58*4882a593Smuzhiyunconfig UBSAN_ONLY_BOUNDS 59*4882a593Smuzhiyun def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS 60*4882a593Smuzhiyun depends on UBSAN_BOUNDS 61*4882a593Smuzhiyun help 62*4882a593Smuzhiyun This is a weird case: Clang's -fsanitize=bounds includes 63*4882a593Smuzhiyun -fsanitize=local-bounds, but it's trapping-only, so for 64*4882a593Smuzhiyun Clang, we must use -fsanitize=array-bounds when we want 65*4882a593Smuzhiyun traditional array bounds checking enabled. For GCC, we 66*4882a593Smuzhiyun want -fsanitize=bounds. 67*4882a593Smuzhiyun 68*4882a593Smuzhiyunconfig UBSAN_ARRAY_BOUNDS 69*4882a593Smuzhiyun def_bool CC_HAS_UBSAN_ARRAY_BOUNDS 70*4882a593Smuzhiyun depends on UBSAN_BOUNDS 71*4882a593Smuzhiyun 72*4882a593Smuzhiyunconfig UBSAN_LOCAL_BOUNDS 73*4882a593Smuzhiyun bool "Perform array local bounds checking" 74*4882a593Smuzhiyun depends on UBSAN_TRAP 75*4882a593Smuzhiyun depends on !UBSAN_KCOV_BROKEN 76*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=local-bounds) 77*4882a593Smuzhiyun help 78*4882a593Smuzhiyun This option enables -fsanitize=local-bounds which traps when an 79*4882a593Smuzhiyun exception/error is detected. Therefore, it may only be enabled 80*4882a593Smuzhiyun with CONFIG_UBSAN_TRAP. 81*4882a593Smuzhiyun 82*4882a593Smuzhiyun Enabling this option detects errors due to accesses through a 83*4882a593Smuzhiyun pointer that is derived from an object of a statically-known size, 84*4882a593Smuzhiyun where an added offset (which may not be known statically) is 85*4882a593Smuzhiyun out-of-bounds. 86*4882a593Smuzhiyun 87*4882a593Smuzhiyunconfig UBSAN_SHIFT 88*4882a593Smuzhiyun bool "Perform checking for bit-shift overflows" 89*4882a593Smuzhiyun default UBSAN 90*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=shift) 91*4882a593Smuzhiyun help 92*4882a593Smuzhiyun This option enables -fsanitize=shift which checks for bit-shift 93*4882a593Smuzhiyun operations that overflow to the left or go switch to negative 94*4882a593Smuzhiyun for signed types. 95*4882a593Smuzhiyun 96*4882a593Smuzhiyunconfig UBSAN_DIV_ZERO 97*4882a593Smuzhiyun bool "Perform checking for integer divide-by-zero" 98*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=integer-divide-by-zero) 99*4882a593Smuzhiyun help 100*4882a593Smuzhiyun This option enables -fsanitize=integer-divide-by-zero which checks 101*4882a593Smuzhiyun for integer division by zero. This is effectively redundant with the 102*4882a593Smuzhiyun kernel's existing exception handling, though it can provide greater 103*4882a593Smuzhiyun debugging information under CONFIG_UBSAN_REPORT_FULL. 104*4882a593Smuzhiyun 105*4882a593Smuzhiyunconfig UBSAN_UNREACHABLE 106*4882a593Smuzhiyun bool "Perform checking for unreachable code" 107*4882a593Smuzhiyun # objtool already handles unreachable checking and gets angry about 108*4882a593Smuzhiyun # seeing UBSan instrumentation located in unreachable places. 109*4882a593Smuzhiyun depends on !STACK_VALIDATION 110*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=unreachable) 111*4882a593Smuzhiyun help 112*4882a593Smuzhiyun This option enables -fsanitize=unreachable which checks for control 113*4882a593Smuzhiyun flow reaching an expected-to-be-unreachable position. 114*4882a593Smuzhiyun 115*4882a593Smuzhiyunconfig UBSAN_OBJECT_SIZE 116*4882a593Smuzhiyun bool "Perform checking for accesses beyond the end of objects" 117*4882a593Smuzhiyun default UBSAN 118*4882a593Smuzhiyun # gcc hugely expands stack usage with -fsanitize=object-size 119*4882a593Smuzhiyun # https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/ 120*4882a593Smuzhiyun depends on !CC_IS_GCC 121*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=object-size) 122*4882a593Smuzhiyun help 123*4882a593Smuzhiyun This option enables -fsanitize=object-size which checks for accesses 124*4882a593Smuzhiyun beyond the end of objects where the optimizer can determine both the 125*4882a593Smuzhiyun object being operated on and its size, usually seen with bad downcasts, 126*4882a593Smuzhiyun or access to struct members from NULL pointers. 127*4882a593Smuzhiyun 128*4882a593Smuzhiyunconfig UBSAN_BOOL 129*4882a593Smuzhiyun bool "Perform checking for non-boolean values used as boolean" 130*4882a593Smuzhiyun default UBSAN 131*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=bool) 132*4882a593Smuzhiyun help 133*4882a593Smuzhiyun This option enables -fsanitize=bool which checks for boolean values being 134*4882a593Smuzhiyun loaded that are neither 0 nor 1. 135*4882a593Smuzhiyun 136*4882a593Smuzhiyunconfig UBSAN_ENUM 137*4882a593Smuzhiyun bool "Perform checking for out of bounds enum values" 138*4882a593Smuzhiyun default UBSAN 139*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=enum) 140*4882a593Smuzhiyun help 141*4882a593Smuzhiyun This option enables -fsanitize=enum which checks for values being loaded 142*4882a593Smuzhiyun into an enum that are outside the range of given values for the given enum. 143*4882a593Smuzhiyun 144*4882a593Smuzhiyunconfig UBSAN_ALIGNMENT 145*4882a593Smuzhiyun bool "Perform checking for misaligned pointer usage" 146*4882a593Smuzhiyun default !HAVE_EFFICIENT_UNALIGNED_ACCESS 147*4882a593Smuzhiyun depends on !UBSAN_TRAP && !COMPILE_TEST 148*4882a593Smuzhiyun depends on $(cc-option,-fsanitize=alignment) 149*4882a593Smuzhiyun help 150*4882a593Smuzhiyun This option enables the check of unaligned memory accesses. 151*4882a593Smuzhiyun Enabling this option on architectures that support unaligned 152*4882a593Smuzhiyun accesses may produce a lot of false positives. 153*4882a593Smuzhiyun 154*4882a593Smuzhiyunconfig UBSAN_SANITIZE_ALL 155*4882a593Smuzhiyun bool "Enable instrumentation for the entire kernel" 156*4882a593Smuzhiyun depends on ARCH_HAS_UBSAN_SANITIZE_ALL 157*4882a593Smuzhiyun default y 158*4882a593Smuzhiyun help 159*4882a593Smuzhiyun This option activates instrumentation for the entire kernel. 160*4882a593Smuzhiyun If you don't enable this option, you have to explicitly specify 161*4882a593Smuzhiyun UBSAN_SANITIZE := y for the files/directories you want to check for UB. 162*4882a593Smuzhiyun Enabling this option will get kernel image size increased 163*4882a593Smuzhiyun significantly. 164*4882a593Smuzhiyun 165*4882a593Smuzhiyunconfig TEST_UBSAN 166*4882a593Smuzhiyun tristate "Module for testing for undefined behavior detection" 167*4882a593Smuzhiyun depends on m 168*4882a593Smuzhiyun help 169*4882a593Smuzhiyun This is a test module for UBSAN. 170*4882a593Smuzhiyun It triggers various undefined behavior, and detect it. 171*4882a593Smuzhiyun 172*4882a593Smuzhiyunendif # if UBSAN 173