0001 # SPDX-License-Identifier: GPL-2.0-only
0002 config ARCH_HAS_UBSAN_SANITIZE_ALL
0003 bool
0004
0005 menuconfig UBSAN
0006 bool "Undefined behaviour sanity checker"
0007 help
0008 This option enables the Undefined Behaviour sanity checker.
0009 Compile-time instrumentation is used to detect various undefined
0010 behaviours at runtime. For more details, see:
0011 Documentation/dev-tools/ubsan.rst
0012
0013 if UBSAN
0014
0015 config UBSAN_TRAP
0016 bool "On Sanitizer warnings, abort the running kernel code"
0017 depends on !COMPILE_TEST
0018 depends on $(cc-option, -fsanitize-undefined-trap-on-error)
0019 help
0020 Building kernels with Sanitizer features enabled tends to grow
0021 the kernel size by around 5%, due to adding all the debugging
0022 text on failure paths. To avoid this, Sanitizer instrumentation
0023 can just issue a trap. This reduces the kernel size overhead but
0024 turns all warnings (including potentially harmless conditions)
0025 into full exceptions that abort the running kernel code
0026 (regardless of context, locks held, etc), which may destabilize
0027 the system. For some system builders this is an acceptable
0028 trade-off.
0029
0030 config CC_HAS_UBSAN_BOUNDS
0031 def_bool $(cc-option,-fsanitize=bounds)
0032
0033 config CC_HAS_UBSAN_ARRAY_BOUNDS
0034 def_bool $(cc-option,-fsanitize=array-bounds)
0035
0036 config UBSAN_BOUNDS
0037 bool "Perform array index bounds checking"
0038 default UBSAN
0039 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
0040 help
0041 This option enables detection of directly indexed out of bounds
0042 array accesses, where the array size is known at compile time.
0043 Note that this does not protect array overflows via bad calls
0044 to the {str,mem}*cpy() family of functions (that is addressed
0045 by CONFIG_FORTIFY_SOURCE).
0046
0047 config UBSAN_ONLY_BOUNDS
0048 def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS
0049 depends on UBSAN_BOUNDS
0050 help
0051 This is a weird case: Clang's -fsanitize=bounds includes
0052 -fsanitize=local-bounds, but it's trapping-only, so for
0053 Clang, we must use -fsanitize=array-bounds when we want
0054 traditional array bounds checking enabled. For GCC, we
0055 want -fsanitize=bounds.
0056
0057 config UBSAN_ARRAY_BOUNDS
0058 def_bool CC_HAS_UBSAN_ARRAY_BOUNDS
0059 depends on UBSAN_BOUNDS
0060
0061 config UBSAN_LOCAL_BOUNDS
0062 bool "Perform array local bounds checking"
0063 depends on UBSAN_TRAP
0064 depends on $(cc-option,-fsanitize=local-bounds)
0065 help
0066 This option enables -fsanitize=local-bounds which traps when an
0067 exception/error is detected. Therefore, it may only be enabled
0068 with CONFIG_UBSAN_TRAP.
0069
0070 Enabling this option detects errors due to accesses through a
0071 pointer that is derived from an object of a statically-known size,
0072 where an added offset (which may not be known statically) is
0073 out-of-bounds.
0074
0075 config UBSAN_SHIFT
0076 bool "Perform checking for bit-shift overflows"
0077 default UBSAN
0078 depends on $(cc-option,-fsanitize=shift)
0079 help
0080 This option enables -fsanitize=shift which checks for bit-shift
0081 operations that overflow to the left or go switch to negative
0082 for signed types.
0083
0084 config UBSAN_DIV_ZERO
0085 bool "Perform checking for integer divide-by-zero"
0086 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
0087 # https://github.com/ClangBuiltLinux/linux/issues/1657
0088 # https://github.com/llvm/llvm-project/issues/56289
0089 depends on !CC_IS_CLANG
0090 help
0091 This option enables -fsanitize=integer-divide-by-zero which checks
0092 for integer division by zero. This is effectively redundant with the
0093 kernel's existing exception handling, though it can provide greater
0094 debugging information under CONFIG_UBSAN_REPORT_FULL.
0095
0096 config UBSAN_UNREACHABLE
0097 bool "Perform checking for unreachable code"
0098 # objtool already handles unreachable checking and gets angry about
0099 # seeing UBSan instrumentation located in unreachable places.
0100 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
0101 depends on $(cc-option,-fsanitize=unreachable)
0102 help
0103 This option enables -fsanitize=unreachable which checks for control
0104 flow reaching an expected-to-be-unreachable position.
0105
0106 config UBSAN_BOOL
0107 bool "Perform checking for non-boolean values used as boolean"
0108 default UBSAN
0109 depends on $(cc-option,-fsanitize=bool)
0110 help
0111 This option enables -fsanitize=bool which checks for boolean values being
0112 loaded that are neither 0 nor 1.
0113
0114 config UBSAN_ENUM
0115 bool "Perform checking for out of bounds enum values"
0116 default UBSAN
0117 depends on $(cc-option,-fsanitize=enum)
0118 help
0119 This option enables -fsanitize=enum which checks for values being loaded
0120 into an enum that are outside the range of given values for the given enum.
0121
0122 config UBSAN_ALIGNMENT
0123 bool "Perform checking for misaligned pointer usage"
0124 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
0125 depends on !UBSAN_TRAP && !COMPILE_TEST
0126 depends on $(cc-option,-fsanitize=alignment)
0127 help
0128 This option enables the check of unaligned memory accesses.
0129 Enabling this option on architectures that support unaligned
0130 accesses may produce a lot of false positives.
0131
0132 config UBSAN_SANITIZE_ALL
0133 bool "Enable instrumentation for the entire kernel"
0134 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
0135 default y
0136 help
0137 This option activates instrumentation for the entire kernel.
0138 If you don't enable this option, you have to explicitly specify
0139 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
0140 Enabling this option will get kernel image size increased
0141 significantly.
0142
0143 config TEST_UBSAN
0144 tristate "Module for testing for undefined behavior detection"
0145 depends on m
0146 help
0147 This is a test module for UBSAN.
0148 It triggers various undefined behavior, and detect it.
0149
0150 endif # if UBSAN
