linux/lib/Kconfig.ubsan
<<
>>
Prefs 
   1# SPDX-License-Identifier: GPL-2.0-only
   2config ARCH_HAS_UBSAN_SANITIZE_ALL
   3        bool
   4
   5menuconfig UBSAN
   6        bool "Undefined behaviour sanity checker"
   7        help
   8          This option enables the Undefined Behaviour sanity checker.
   9          Compile-time instrumentation is used to detect various undefined
  10          behaviours at runtime. For more details, see:
  11          Documentation/dev-tools/ubsan.rst
  12
  13if UBSAN
  14
  15config UBSAN_TRAP
  16        bool "On Sanitizer warnings, abort the running kernel code"
  17        depends on !COMPILE_TEST
  18        depends on $(cc-option, -fsanitize-undefined-trap-on-error)
  19        help
  20          Building kernels with Sanitizer features enabled tends to grow
  21          the kernel size by around 5%, due to adding all the debugging
  22          text on failure paths. To avoid this, Sanitizer instrumentation
  23          can just issue a trap. This reduces the kernel size overhead but
  24          turns all warnings (including potentially harmless conditions)
  25          into full exceptions that abort the running kernel code
  26          (regardless of context, locks held, etc), which may destabilize
  27          the system. For some system builders this is an acceptable
  28          trade-off.
  29
  30config UBSAN_KCOV_BROKEN
  31        def_bool KCOV && CC_HAS_SANCOV_TRACE_PC
  32        depends on CC_IS_CLANG
  33        depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc)
  34        help
  35          Some versions of clang support either UBSAN or KCOV but not the
  36          combination of the two.
  37          See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
  38          in newer releases.
  39
  40config CC_HAS_UBSAN_BOUNDS
  41        def_bool $(cc-option,-fsanitize=bounds)
  42
  43config CC_HAS_UBSAN_ARRAY_BOUNDS
  44        def_bool $(cc-option,-fsanitize=array-bounds)
  45
  46config UBSAN_BOUNDS
  47        bool "Perform array index bounds checking"
  48        default UBSAN
  49        depends on !UBSAN_KCOV_BROKEN
  50        depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
  51        help
  52          This option enables detection of directly indexed out of bounds
  53          array accesses, where the array size is known at compile time.
  54          Note that this does not protect array overflows via bad calls
  55          to the {str,mem}*cpy() family of functions (that is addressed
  56          by CONFIG_FORTIFY_SOURCE).
  57
  58config UBSAN_ONLY_BOUNDS
  59        def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
  60        depends on UBSAN_BOUNDS
  61        help
  62          This is a weird case: Clang's -fsanitize=bounds includes
  63          -fsanitize=local-bounds, but it's trapping-only, so for
  64          Clang, we must use -fsanitize=array-bounds when we want
  65          traditional array bounds checking enabled. For GCC, we
  66          want -fsanitize=bounds.
  67
  68config UBSAN_ARRAY_BOUNDS
  69        def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
  70        depends on UBSAN_BOUNDS
  71
  72config UBSAN_LOCAL_BOUNDS
  73        bool "Perform array local bounds checking"
  74        depends on UBSAN_TRAP
  75        depends on !UBSAN_KCOV_BROKEN
  76        depends on $(cc-option,-fsanitize=local-bounds)
  77        help
  78          This option enables -fsanitize=local-bounds which traps when an
  79          exception/error is detected. Therefore, it may only be enabled
  80          with CONFIG_UBSAN_TRAP.
  81
  82          Enabling this option detects errors due to accesses through a
  83          pointer that is derived from an object of a statically-known size,
  84          where an added offset (which may not be known statically) is
  85          out-of-bounds.
  86
  87config UBSAN_SHIFT
  88        bool "Perform checking for bit-shift overflows"
  89        default UBSAN
  90        depends on $(cc-option,-fsanitize=shift)
  91        help
  92          This option enables -fsanitize=shift which checks for bit-shift
  93          operations that overflow to the left or go switch to negative
  94          for signed types.
  95
  96config UBSAN_DIV_ZERO
  97        bool "Perform checking for integer divide-by-zero"
  98        depends on $(cc-option,-fsanitize=integer-divide-by-zero)
  99        help
 100          This option enables -fsanitize=integer-divide-by-zero which checks
 101          for integer division by zero. This is effectively redundant with the
 102          kernel's existing exception handling, though it can provide greater
 103          debugging information under CONFIG_UBSAN_REPORT_FULL.
 104
 105config UBSAN_UNREACHABLE
 106        bool "Perform checking for unreachable code"
 107        # objtool already handles unreachable checking and gets angry about
 108        # seeing UBSan instrumentation located in unreachable places.
 109        depends on !STACK_VALIDATION
 110        depends on $(cc-option,-fsanitize=unreachable)
 111        help
 112          This option enables -fsanitize=unreachable which checks for control
 113          flow reaching an expected-to-be-unreachable position.
 114
 115config UBSAN_OBJECT_SIZE
 116        bool "Perform checking for accesses beyond the end of objects"
 117        default UBSAN
 118        # gcc hugely expands stack usage with -fsanitize=object-size
 119        # https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
 120        depends on !CC_IS_GCC
 121        depends on $(cc-option,-fsanitize=object-size)
 122        help
 123          This option enables -fsanitize=object-size which checks for accesses
 124          beyond the end of objects where the optimizer can determine both the
 125          object being operated on and its size, usually seen with bad downcasts,
 126          or access to struct members from NULL pointers.
 127
 128config UBSAN_BOOL
 129        bool "Perform checking for non-boolean values used as boolean"
 130        default UBSAN
 131        depends on $(cc-option,-fsanitize=bool)
 132        help
 133          This option enables -fsanitize=bool which checks for boolean values being
 134          loaded that are neither 0 nor 1.
 135
 136config UBSAN_ENUM
 137        bool "Perform checking for out of bounds enum values"
 138        default UBSAN
 139        depends on $(cc-option,-fsanitize=enum)
 140        help
 141          This option enables -fsanitize=enum which checks for values being loaded
 142          into an enum that are outside the range of given values for the given enum.
 143
 144config UBSAN_ALIGNMENT
 145        bool "Perform checking for misaligned pointer usage"
 146        default !HAVE_EFFICIENT_UNALIGNED_ACCESS
 147        depends on !UBSAN_TRAP && !COMPILE_TEST
 148        depends on $(cc-option,-fsanitize=alignment)
 149        help
 150          This option enables the check of unaligned memory accesses.
 151          Enabling this option on architectures that support unaligned
 152          accesses may produce a lot of false positives.
 153
 154config UBSAN_SANITIZE_ALL
 155        bool "Enable instrumentation for the entire kernel"
 156        depends on ARCH_HAS_UBSAN_SANITIZE_ALL
 157        default y
 158        help
 159          This option activates instrumentation for the entire kernel.
 160          If you don't enable this option, you have to explicitly specify
 161          UBSAN_SANITIZE := y for the files/directories you want to check for UB.
 162          Enabling this option will get kernel image size increased
 163          significantly.
 164
 165config TEST_UBSAN
 166        tristate "Module for testing for undefined behavior detection"
 167        depends on m
 168        help
 169          This is a test module for UBSAN.
 170          It triggers various undefined behavior, and detect it.
 171
 172endif   # if UBSAN
 173
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.