1# SPDX-License-Identifier: GPL-2.0-only
2config ARCH_HAS_UBSAN_SANITIZE_ALL
3	bool
4
5menuconfig UBSAN
6	bool "Undefined behaviour sanity checker"
7	help
8	  This option enables the Undefined Behaviour sanity checker.
9	  Compile-time instrumentation is used to detect various undefined
10	  behaviours at runtime. For more details, see:
11	  Documentation/dev-tools/ubsan.rst
12
13if UBSAN
14
15config UBSAN_TRAP
16	bool "On Sanitizer warnings, abort the running kernel code"
17	depends on $(cc-option, -fsanitize-undefined-trap-on-error)
18	help
19	  Building kernels with Sanitizer features enabled tends to grow
20	  the kernel size by around 5%, due to adding all the debugging
21	  text on failure paths. To avoid this, Sanitizer instrumentation
22	  can just issue a trap. This reduces the kernel size overhead but
23	  turns all warnings (including potentially harmless conditions)
24	  into full exceptions that abort the running kernel code
25	  (regardless of context, locks held, etc), which may destabilize
26	  the system. For some system builders this is an acceptable
27	  trade-off.
28
29config UBSAN_KCOV_BROKEN
30	def_bool KCOV && CC_HAS_SANCOV_TRACE_PC
31	depends on CC_IS_CLANG
32	depends on !$(cc-option,-Werror=unused-command-line-argument -fsanitize=bounds -fsanitize-coverage=trace-pc)
33	help
34	  Some versions of clang support either UBSAN or KCOV but not the
35	  combination of the two.
36	  See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
37	  in newer releases.
38
39config UBSAN_BOUNDS
40	bool "Perform array index bounds checking"
41	default UBSAN
42	depends on !UBSAN_KCOV_BROKEN
43	help
44	  This option enables detection of directly indexed out of bounds
45	  array accesses, where the array size is known at compile time.
46	  Note that this does not protect array overflows via bad calls
47	  to the {str,mem}*cpy() family of functions (that is addressed
48	  by CONFIG_FORTIFY_SOURCE).
49
50config UBSAN_LOCAL_BOUNDS
51	bool "Perform array local bounds checking"
52	depends on UBSAN_TRAP
53	depends on CC_IS_CLANG
54	depends on !UBSAN_KCOV_BROKEN
55	help
56	  This option enables -fsanitize=local-bounds which traps when an
57	  exception/error is detected. Therefore, it should be enabled only
58	  if trapping is expected.
59	  Enabling this option detects errors due to accesses through a
60	  pointer that is derived from an object of a statically-known size,
61	  where an added offset (which may not be known statically) is
62	  out-of-bounds.
63
64config UBSAN_MISC
65	bool "Enable all other Undefined Behavior sanity checks"
66	default UBSAN
67	help
68	  This option enables all sanity checks that don't have their
69	  own Kconfig options. Disable this if you only want to have
70	  individually selected checks.
71
72config UBSAN_SANITIZE_ALL
73	bool "Enable instrumentation for the entire kernel"
74	depends on ARCH_HAS_UBSAN_SANITIZE_ALL
75
76	# We build with -Wno-maybe-uninitilzed, but we still want to
77	# use -Wmaybe-uninitilized in allmodconfig builds.
78	# So dependsy bellow used to disable this option in allmodconfig
79	depends on !COMPILE_TEST
80	default y
81	help
82	  This option activates instrumentation for the entire kernel.
83	  If you don't enable this option, you have to explicitly specify
84	  UBSAN_SANITIZE := y for the files/directories you want to check for UB.
85	  Enabling this option will get kernel image size increased
86	  significantly.
87
88config UBSAN_ALIGNMENT
89	bool "Enable checks for pointers alignment"
90	default !HAVE_EFFICIENT_UNALIGNED_ACCESS
91	depends on !UBSAN_TRAP
92	help
93	  This option enables the check of unaligned memory accesses.
94	  Enabling this option on architectures that support unaligned
95	  accesses may produce a lot of false positives.
96
97config TEST_UBSAN
98	tristate "Module for testing for undefined behavior detection"
99	depends on m
100	help
101	  This is a test module for UBSAN.
102	  It triggers various undefined behavior, and detect it.
103
104endif	# if UBSAN
105