2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-18 02:04:05 +08:00
linux-next/lib/Kconfig.ubsan
Kees Cook 277a10850f ubsan: split "bounds" checker from other options
In order to do kernel builds with the bounds checker individually
available, introduce CONFIG_UBSAN_BOUNDS, with the remaining options under
CONFIG_UBSAN_MISC.

For example, using this, we can start to expand the coverage syzkaller is
providing.  Right now, all of UBSan is disabled for syzbot builds because
taken as a whole, it is too noisy.  This will let us focus on one feature
at a time.

For the bounds checker specifically, this provides a mechanism to
eliminate an entire class of array overflows with close to zero
performance overhead (I cannot measure a difference).  In my (mostly)
defconfig, enabling bounds checking adds ~4200 checks to the kernel.
Performance changes are in the noise, likely due to the branch predictors
optimizing for the non-fail path.

Some notes on the bounds checker:

- it does not instrument {mem,str}*()-family functions, it only
  instruments direct indexed accesses (e.g. "foo[i]"). Dealing with
  the {mem,str}*()-family functions is a work-in-progress around
  CONFIG_FORTIFY_SOURCE[1].

- it ignores flexible array members, including the very old single
  byte (e.g. "int foo[1];") declarations. (Note that GCC's
  implementation appears to ignore _all_ trailing arrays, but Clang only
  ignores empty, 0, and 1 byte arrays[2].)

[1] https://github.com/KSPP/linux/issues/6
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92589

Suggested-by: Elena Petrova <lenaptr@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Link: http://lkml.kernel.org/r/20200227193516.32566-3-keescook@chromium.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-04-07 10:43:44 -07:00

83 lines
2.9 KiB
Plaintext

# SPDX-License-Identifier: GPL-2.0-only
config ARCH_HAS_UBSAN_SANITIZE_ALL
bool
menuconfig UBSAN
bool "Undefined behaviour sanity checker"
help
This option enables the Undefined Behaviour sanity checker.
Compile-time instrumentation is used to detect various undefined
behaviours at runtime. For more details, see:
Documentation/dev-tools/ubsan.rst
if UBSAN
config UBSAN_TRAP
bool "On Sanitizer warnings, abort the running kernel code"
depends on $(cc-option, -fsanitize-undefined-trap-on-error)
help
Building kernels with Sanitizer features enabled tends to grow
the kernel size by around 5%, due to adding all the debugging
text on failure paths. To avoid this, Sanitizer instrumentation
can just issue a trap. This reduces the kernel size overhead but
turns all warnings (including potentially harmless conditions)
into full exceptions that abort the running kernel code
(regardless of context, locks held, etc), which may destabilize
the system. For some system builders this is an acceptable
trade-off.
config UBSAN_BOUNDS
bool "Perform array index bounds checking"
default UBSAN
help
This option enables detection of directly indexed out of bounds
array accesses, where the array size is known at compile time.
Note that this does not protect array overflows via bad calls
to the {str,mem}*cpy() family of functions (that is addressed
by CONFIG_FORTIFY_SOURCE).
config UBSAN_MISC
bool "Enable all other Undefined Behavior sanity checks"
default UBSAN
help
This option enables all sanity checks that don't have their
own Kconfig options. Disable this if you only want to have
individually selected checks.
config UBSAN_SANITIZE_ALL
bool "Enable instrumentation for the entire kernel"
depends on ARCH_HAS_UBSAN_SANITIZE_ALL
# We build with -Wno-maybe-uninitilzed, but we still want to
# use -Wmaybe-uninitilized in allmodconfig builds.
# So dependsy bellow used to disable this option in allmodconfig
depends on !COMPILE_TEST
default y
help
This option activates instrumentation for the entire kernel.
If you don't enable this option, you have to explicitly specify
UBSAN_SANITIZE := y for the files/directories you want to check for UB.
Enabling this option will get kernel image size increased
significantly.
config UBSAN_NO_ALIGNMENT
bool "Disable checking of pointers alignment"
default y if HAVE_EFFICIENT_UNALIGNED_ACCESS
help
This option disables the check of unaligned memory accesses.
This option should be used when building allmodconfig.
Disabling this option on architectures that support unaligned
accesses may produce a lot of false positives.
config UBSAN_ALIGNMENT
def_bool !UBSAN_NO_ALIGNMENT
config TEST_UBSAN
tristate "Module for testing for undefined behavior detection"
depends on m
help
This is a test module for UBSAN.
It triggers various undefined behavior, and detect it.
endif # if UBSAN