1 # SPDX-License-Identifier: GPL-2.0-only
2 config ARCH_HAS_UBSAN_SANITIZE_ALL
6 bool "Undefined behaviour sanity checker"
8 This option enables the Undefined Behaviour sanity checker.
9 Compile-time instrumentation is used to detect various undefined
10 behaviours at runtime. For more details, see:
11 Documentation/dev-tools/ubsan.rst
16 bool "Abort on Sanitizer warnings (smaller kernel but less verbose)"
17 depends on !COMPILE_TEST
19 Building kernels with Sanitizer features enabled tends to grow
20 the kernel size by around 5%, due to adding all the debugging
21 text on failure paths. To avoid this, Sanitizer instrumentation
22 can just issue a trap. This reduces the kernel size overhead but
23 turns all warnings (including potentially harmless conditions)
24 into full exceptions that abort the running kernel code
25 (regardless of context, locks held, etc), which may destabilize
26 the system. For some system builders this is an acceptable
29 Also note that selecting Y will cause your kernel to Oops
30 with an "illegal instruction" error with no further details
31 when a UBSAN violation occurs. (Except on arm64, which will
32 report which Sanitizer failed.) This may make it hard to
33 determine whether an Oops was caused by UBSAN or to figure
34 out the details of a UBSAN violation. It makes the kernel log
35 output less useful for bug reports.
37 config CC_HAS_UBSAN_BOUNDS_STRICT
38 def_bool $(cc-option,-fsanitize=bounds-strict)
40 The -fsanitize=bounds-strict option is only available on GCC,
41 but uses the more strict handling of arrays that includes knowledge
42 of flexible arrays, which is comparable to Clang's regular
45 config CC_HAS_UBSAN_ARRAY_BOUNDS
46 def_bool $(cc-option,-fsanitize=array-bounds)
48 Under Clang, the -fsanitize=bounds option is actually composed
49 of two more specific options, -fsanitize=array-bounds and
50 -fsanitize=local-bounds. However, -fsanitize=local-bounds can
51 only be used when trap mode is enabled. (See also the help for
52 CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds
53 so that we can build up the options needed for UBSAN_BOUNDS
54 with or without UBSAN_TRAP.
57 bool "Perform array index bounds checking"
59 depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT
61 This option enables detection of directly indexed out of bounds
62 array accesses, where the array size is known at compile time.
63 Note that this does not protect array overflows via bad calls
64 to the {str,mem}*cpy() family of functions (that is addressed
65 by CONFIG_FORTIFY_SOURCE).
67 config UBSAN_BOUNDS_STRICT
68 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT
70 GCC's bounds sanitizer. This option is used to select the
71 correct options in Makefile.ubsan.
73 config UBSAN_ARRAY_BOUNDS
74 def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS
76 Clang's array bounds sanitizer. This option is used to select
77 the correct options in Makefile.ubsan.
79 config UBSAN_LOCAL_BOUNDS
80 def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP
82 This option enables Clang's -fsanitize=local-bounds which traps
83 when an access through a pointer that is derived from an object
84 of a statically-known size, where an added offset (which may not
85 be known statically) is out-of-bounds. Since this option is
86 trap-only, it depends on CONFIG_UBSAN_TRAP.
89 bool "Perform checking for bit-shift overflows"
91 depends on $(cc-option,-fsanitize=shift)
93 This option enables -fsanitize=shift which checks for bit-shift
94 operations that overflow to the left or go switch to negative
98 bool "Perform checking for integer divide-by-zero"
99 depends on $(cc-option,-fsanitize=integer-divide-by-zero)
100 # https://github.com/ClangBuiltLinux/linux/issues/1657
101 # https://github.com/llvm/llvm-project/issues/56289
102 depends on !CC_IS_CLANG
104 This option enables -fsanitize=integer-divide-by-zero which checks
105 for integer division by zero. This is effectively redundant with the
106 kernel's existing exception handling, though it can provide greater
107 debugging information under CONFIG_UBSAN_REPORT_FULL.
109 config UBSAN_UNREACHABLE
110 bool "Perform checking for unreachable code"
111 # objtool already handles unreachable checking and gets angry about
112 # seeing UBSan instrumentation located in unreachable places.
113 depends on !(OBJTOOL && (STACK_VALIDATION || UNWINDER_ORC || HAVE_UACCESS_VALIDATION))
114 depends on $(cc-option,-fsanitize=unreachable)
116 This option enables -fsanitize=unreachable which checks for control
117 flow reaching an expected-to-be-unreachable position.
120 bool "Perform checking for non-boolean values used as boolean"
122 depends on $(cc-option,-fsanitize=bool)
124 This option enables -fsanitize=bool which checks for boolean values being
125 loaded that are neither 0 nor 1.
128 bool "Perform checking for out of bounds enum values"
130 depends on $(cc-option,-fsanitize=enum)
132 This option enables -fsanitize=enum which checks for values being loaded
133 into an enum that are outside the range of given values for the given enum.
135 config UBSAN_ALIGNMENT
136 bool "Perform checking for misaligned pointer usage"
137 default !HAVE_EFFICIENT_UNALIGNED_ACCESS
138 depends on !UBSAN_TRAP && !COMPILE_TEST
139 depends on $(cc-option,-fsanitize=alignment)
141 This option enables the check of unaligned memory accesses.
142 Enabling this option on architectures that support unaligned
143 accesses may produce a lot of false positives.
145 config UBSAN_SANITIZE_ALL
146 bool "Enable instrumentation for the entire kernel"
147 depends on ARCH_HAS_UBSAN_SANITIZE_ALL
150 This option activates instrumentation for the entire kernel.
151 If you don't enable this option, you have to explicitly specify
152 UBSAN_SANITIZE := y for the files/directories you want to check for UB.
153 Enabling this option will get kernel image size increased
157 tristate "Module for testing for undefined behavior detection"
160 This is a test module for UBSAN.
161 It triggers various undefined behavior, and detect it.