ubsan: introduce CONFIG_UBSAN_LOCAL_BOUNDS for Clang

When the kernel is compiled with Clang, -fsanitize=bounds expands to
-fsanitize=array-bounds and -fsanitize=local-bounds.

Enabling -fsanitize=local-bounds with Clang has the unfortunate
side-effect of inserting traps; this goes back to its original intent,
which was as a hardening and not a debugging feature [1].  The same
feature made its way into -fsanitize=bounds, but the traps remained.  For
that reason, -fsanitize=bounds was split into 'array-bounds' and
'local-bounds' [2].

Since 'local-bounds' doesn't behave like a normal sanitizer, enable it
with Clang only if trapping behaviour was requested by
CONFIG_UBSAN_TRAP=y.

Add the UBSAN_BOUNDS_LOCAL config to Kconfig.ubsan to enable the
'local-bounds' option by default when UBSAN_TRAP is enabled.

[1] http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html
[2] http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html

Suggested-by: Marco Elver <elver@google.com>
Signed-off-by: George Popescu <georgepope@android.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: David Brazdil <dbrazdil@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Nathan Chancellor <natechancellor@gmail.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: https://lkml.kernel.org/r/20200922074330.2549523-1-georgepope@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
George Popescu 2020-10-15 20:13:38 -07:00 committed by Linus Torvalds
parent 5cf53f3ce3
commit 6a6155f664
2 changed files with 23 additions and 1 deletions

View file

@ -47,6 +47,20 @@ config UBSAN_BOUNDS
to the {str,mem}*cpy() family of functions (that is addressed to the {str,mem}*cpy() family of functions (that is addressed
by CONFIG_FORTIFY_SOURCE). by CONFIG_FORTIFY_SOURCE).
config UBSAN_LOCAL_BOUNDS
bool "Perform array local bounds checking"
depends on UBSAN_TRAP
depends on CC_IS_CLANG
depends on !UBSAN_KCOV_BROKEN
help
This option enables -fsanitize=local-bounds which traps when an
exception/error is detected. Therefore, it should be enabled only
if trapping is expected.
Enabling this option detects errors due to accesses through a
pointer that is derived from an object of a statically-known size,
where an added offset (which may not be known statically) is
out-of-bounds.
config UBSAN_MISC config UBSAN_MISC
bool "Enable all other Undefined Behavior sanity checks" bool "Enable all other Undefined Behavior sanity checks"
default UBSAN default UBSAN

View file

@ -4,7 +4,15 @@ ifdef CONFIG_UBSAN_ALIGNMENT
endif endif
ifdef CONFIG_UBSAN_BOUNDS ifdef CONFIG_UBSAN_BOUNDS
CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) ifdef CONFIG_CC_IS_CLANG
CFLAGS_UBSAN += -fsanitize=array-bounds
else
CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
endif
endif
ifdef CONFIG_UBSAN_LOCAL_BOUNDS
CFLAGS_UBSAN += -fsanitize=local-bounds
endif endif
ifdef CONFIG_UBSAN_MISC ifdef CONFIG_UBSAN_MISC