xref: /linux/lib/Kconfig.ubsan (revision 71dfa617ea9f18e4585fe78364217cd32b1fc382)
1# SPDX-License-Identifier: GPL-2.0-only
2config ARCH_HAS_UBSAN
3	bool
4
5menuconfig UBSAN
6	bool "Undefined behaviour sanity checker"
7	help
8	  This option enables the Undefined Behaviour sanity checker.
9	  Compile-time instrumentation is used to detect various undefined
10	  behaviours at runtime. For more details, see:
11	  Documentation/dev-tools/ubsan.rst
12
13if UBSAN
14
15config UBSAN_TRAP
16	bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
17	depends on !COMPILE_TEST
18	help
19	  Building kernels with Sanitizer features enabled tends to grow
20	  the kernel size by around 5%, due to adding all the debugging
21	  text on failure paths. To avoid this, Sanitizer instrumentation
22	  can just issue a trap. This reduces the kernel size overhead but
23	  turns all warnings (including potentially harmless conditions)
24	  into full exceptions that abort the running kernel code
25	  (regardless of context, locks held, etc), which may destabilize
26	  the system. For some system builders this is an acceptable
27	  trade-off.
28
29	  Also note that selecting Y will cause your kernel to Oops
30	  with an "illegal instruction" error with no further details
31	  when a UBSAN violation occurs. (Except on arm64, which will
32	  report which Sanitizer failed.) This may make it hard to
33	  determine whether an Oops was caused by UBSAN or to figure
34	  out the details of a UBSAN violation. It makes the kernel log
35	  output less useful for bug reports.
36
37config CC_HAS_UBSAN_BOUNDS_STRICT
38	def_bool $(cc-option,-fsanitize=bounds-strict)
39	help
40	  The -fsanitize=bounds-strict option is only available on GCC,
41	  but uses the more strict handling of arrays that includes knowledge
42	  of flexible arrays, which is comparable to Clang's regular
43	  -fsanitize=bounds.
44
45config CC_HAS_UBSAN_ARRAY_BOUNDS
46	def_bool $(cc-option,-fsanitize=array-bounds)
47	help
48	  Under Clang, the -fsanitize=bounds option is actually composed
49	  of two more specific options, -fsanitize=array-bounds and
50	  -fsanitize=local-bounds. However, -fsanitize=local-bounds can
51	  only be used when trap mode is enabled. (See also the help for
52	  CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
53	  so that we can build up the options needed for UBSAN_BOUNDS
54	  with or without UBSAN_TRAP.
55
56config UBSAN_BOUNDS
57	bool "Perform array index bounds checking"
58	default UBSAN
59	depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
60	help
61	  This option enables detection of directly indexed out of bounds
62	  array accesses, where the array size is known at compile time.
63	  Note that this does not protect array overflows via bad calls
64	  to the {str,mem}*cpy() family of functions (that is addressed
65	  by CONFIG_FORTIFY_SOURCE).
66
67config UBSAN_BOUNDS_STRICT
68	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
69	help
70	  GCC's bounds sanitizer. This option is used to select the
71	  correct options in Makefile.ubsan.
72
73config UBSAN_ARRAY_BOUNDS
74	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
75	help
76	  Clang's array bounds sanitizer. This option is used to select
77	  the correct options in Makefile.ubsan.
78
79config UBSAN_LOCAL_BOUNDS
80	def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
81	help
82	  This option enables Clang's -fsanitize=local-bounds which traps
83	  when an access through a pointer that is derived from an object
84	  of a statically-known size, where an added offset (which may not
85	  be known statically) is out-of-bounds. Since this option is
86	  trap-only, it depends on CONFIG_UBSAN_TRAP.
87
88config UBSAN_SHIFT
89	bool "Perform checking for bit-shift overflows"
90	depends on $(cc-option,-fsanitize=shift)
91	help
92	  This option enables -fsanitize=shift which checks for bit-shift
93	  operations that overflow to the left or go switch to negative
94	  for signed types.
95
96config UBSAN_DIV_ZERO
97	bool "Perform checking for integer divide-by-zero"
98	depends on $(cc-option,-fsanitize=integer-divide-by-zero)
99	# https://github.com/ClangBuiltLinux/linux/issues/1657
100	# https://github.com/llvm/llvm-project/issues/56289
101	depends on !CC_IS_CLANG
102	help
103	  This option enables -fsanitize=integer-divide-by-zero which checks
104	  for integer division by zero. This is effectively redundant with the
105	  kernel's existing exception handling, though it can provide greater
106	  debugging information under CONFIG_UBSAN_REPORT_FULL.
107
108config UBSAN_UNREACHABLE
109	bool "Perform checking for unreachable code"
110	# objtool already handles unreachable checking and gets angry about
111	# seeing UBSan instrumentation located in unreachable places.
112	depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
113	depends on $(cc-option,-fsanitize=unreachable)
114	help
115	  This option enables -fsanitize=unreachable which checks for control
116	  flow reaching an expected-to-be-unreachable position.
117
118config UBSAN_SIGNED_WRAP
119	bool "Perform checking for signed arithmetic wrap-around"
120	default UBSAN
121	depends on !COMPILE_TEST
122	# The no_sanitize attribute was introduced in GCC with version 8.
123	depends on !CC_IS_GCC || GCC_VERSION >= 80000
124	depends on $(cc-option,-fsanitize=signed-integer-overflow)
125	help
126	  This option enables -fsanitize=signed-integer-overflow which checks
127	  for wrap-around of any arithmetic operations with signed integers.
128	  This currently performs nearly no instrumentation due to the
129	  kernel's use of -fno-strict-overflow which converts all would-be
130	  arithmetic undefined behavior into wrap-around arithmetic. Future
131	  sanitizer versions will allow for wrap-around checking (rather than
132	  exclusively undefined behavior).
133
134config UBSAN_BOOL
135	bool "Perform checking for non-boolean values used as boolean"
136	default UBSAN
137	depends on $(cc-option,-fsanitize=bool)
138	help
139	  This option enables -fsanitize=bool which checks for boolean values being
140	  loaded that are neither 0 nor 1.
141
142config UBSAN_ENUM
143	bool "Perform checking for out of bounds enum values"
144	default UBSAN
145	depends on $(cc-option,-fsanitize=enum)
146	help
147	  This option enables -fsanitize=enum which checks for values being loaded
148	  into an enum that are outside the range of given values for the given enum.
149
150config UBSAN_ALIGNMENT
151	bool "Perform checking for misaligned pointer usage"
152	default !HAVE_EFFICIENT_UNALIGNED_ACCESS
153	depends on !UBSAN_TRAP && !COMPILE_TEST
154	depends on $(cc-option,-fsanitize=alignment)
155	help
156	  This option enables the check of unaligned memory accesses.
157	  Enabling this option on architectures that support unaligned
158	  accesses may produce a lot of false positives.
159
160config TEST_UBSAN
161	tristate "Module for testing for undefined behavior detection"
162	depends on m
163	help
164	  This is a test module for UBSAN.
165	  It triggers various undefined behavior, and detect it.
166
167endif	# if UBSAN
168