xref: /linux/lib/Kconfig.ubsan (revision e724e7aaf9ca794670a4d4931af7a7e24e37fec3)
1# SPDX-License-Identifier: GPL-2.0-only
2config ARCH_HAS_UBSAN_SANITIZE_ALL
3	bool
4
5menuconfig UBSAN
6	bool "Undefined behaviour sanity checker"
7	help
8	  This option enables the Undefined Behaviour sanity checker.
9	  Compile-time instrumentation is used to detect various undefined
10	  behaviours at runtime. For more details, see:
11	  Documentation/dev-tools/ubsan.rst
12
13if UBSAN
14
15config UBSAN_TRAP
16	bool "On Sanitizer warnings, abort the running kernel code"
17	depends on !COMPILE_TEST
18	help
19	  Building kernels with Sanitizer features enabled tends to grow
20	  the kernel size by around 5%, due to adding all the debugging
21	  text on failure paths. To avoid this, Sanitizer instrumentation
22	  can just issue a trap. This reduces the kernel size overhead but
23	  turns all warnings (including potentially harmless conditions)
24	  into full exceptions that abort the running kernel code
25	  (regardless of context, locks held, etc), which may destabilize
26	  the system. For some system builders this is an acceptable
27	  trade-off.
28
29config CC_HAS_UBSAN_BOUNDS_STRICT
30	def_bool $(cc-option,-fsanitize=bounds-strict)
31	help
32	  The -fsanitize=bounds-strict option is only available on GCC,
33	  but uses the more strict handling of arrays that includes knowledge
34	  of flexible arrays, which is comparable to Clang's regular
35	  -fsanitize=bounds.
36
37config CC_HAS_UBSAN_ARRAY_BOUNDS
38	def_bool $(cc-option,-fsanitize=array-bounds)
39	help
40	  Under Clang, the -fsanitize=bounds option is actually composed
41	  of two more specific options, -fsanitize=array-bounds and
42	  -fsanitize=local-bounds. However, -fsanitize=local-bounds can
43	  only be used when trap mode is enabled. (See also the help for
44	  CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
45	  so that we can build up the options needed for UBSAN_BOUNDS
46	  with or without UBSAN_TRAP.
47
48config UBSAN_BOUNDS
49	bool "Perform array index bounds checking"
50	default UBSAN
51	depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
52	help
53	  This option enables detection of directly indexed out of bounds
54	  array accesses, where the array size is known at compile time.
55	  Note that this does not protect array overflows via bad calls
56	  to the {str,mem}*cpy() family of functions (that is addressed
57	  by CONFIG_FORTIFY_SOURCE).
58
59config UBSAN_BOUNDS_STRICT
60	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
61	help
62	  GCC's bounds sanitizer. This option is used to select the
63	  correct options in Makefile.ubsan.
64
65config UBSAN_ARRAY_BOUNDS
66	def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
67	help
68	  Clang's array bounds sanitizer. This option is used to select
69	  the correct options in Makefile.ubsan.
70
71config UBSAN_LOCAL_BOUNDS
72	def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
73	help
74	  This option enables Clang's -fsanitize=local-bounds which traps
75	  when an access through a pointer that is derived from an object
76	  of a statically-known size, where an added offset (which may not
77	  be known statically) is out-of-bounds. Since this option is
78	  trap-only, it depends on CONFIG_UBSAN_TRAP.
79
80config UBSAN_SHIFT
81	bool "Perform checking for bit-shift overflows"
82	default UBSAN
83	depends on $(cc-option,-fsanitize=shift)
84	help
85	  This option enables -fsanitize=shift which checks for bit-shift
86	  operations that overflow to the left or go switch to negative
87	  for signed types.
88
89config UBSAN_DIV_ZERO
90	bool "Perform checking for integer divide-by-zero"
91	depends on $(cc-option,-fsanitize=integer-divide-by-zero)
92	# https://github.com/ClangBuiltLinux/linux/issues/1657
93	# https://github.com/llvm/llvm-project/issues/56289
94	depends on !CC_IS_CLANG
95	help
96	  This option enables -fsanitize=integer-divide-by-zero which checks
97	  for integer division by zero. This is effectively redundant with the
98	  kernel's existing exception handling, though it can provide greater
99	  debugging information under CONFIG_UBSAN_REPORT_FULL.
100
101config UBSAN_UNREACHABLE
102	bool "Perform checking for unreachable code"
103	# objtool already handles unreachable checking and gets angry about
104	# seeing UBSan instrumentation located in unreachable places.
105	depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
106	depends on $(cc-option,-fsanitize=unreachable)
107	help
108	  This option enables -fsanitize=unreachable which checks for control
109	  flow reaching an expected-to-be-unreachable position.
110
111config UBSAN_BOOL
112	bool "Perform checking for non-boolean values used as boolean"
113	default UBSAN
114	depends on $(cc-option,-fsanitize=bool)
115	help
116	  This option enables -fsanitize=bool which checks for boolean values being
117	  loaded that are neither 0 nor 1.
118
119config UBSAN_ENUM
120	bool "Perform checking for out of bounds enum values"
121	default UBSAN
122	depends on $(cc-option,-fsanitize=enum)
123	help
124	  This option enables -fsanitize=enum which checks for values being loaded
125	  into an enum that are outside the range of given values for the given enum.
126
127config UBSAN_ALIGNMENT
128	bool "Perform checking for misaligned pointer usage"
129	default !HAVE_EFFICIENT_UNALIGNED_ACCESS
130	depends on !UBSAN_TRAP && !COMPILE_TEST
131	depends on $(cc-option,-fsanitize=alignment)
132	help
133	  This option enables the check of unaligned memory accesses.
134	  Enabling this option on architectures that support unaligned
135	  accesses may produce a lot of false positives.
136
137config UBSAN_SANITIZE_ALL
138	bool "Enable instrumentation for the entire kernel"
139	depends on ARCH_HAS_UBSAN_SANITIZE_ALL
140	default y
141	help
142	  This option activates instrumentation for the entire kernel.
143	  If you don't enable this option, you have to explicitly specify
144	  UBSAN_SANITIZE := y for the files/directories you want to check for UB.
145	  Enabling this option will get kernel image size increased
146	  significantly.
147
148config TEST_UBSAN
149	tristate "Module for testing for undefined behavior detection"
150	depends on m
151	help
152	  This is a test module for UBSAN.
153	  It triggers various undefined behavior, and detect it.
154
155endif	# if UBSAN
156