| Message ID | 20250307041914.937329-1-kees@kernel.org (mailing list archive) |
|---|---|
| State | In Next |
| Commit | ed2b548f1017586c44f50654ef9febb42d491f31 |
| Headers | show |
| Series | ubsan/overflow: Enable pattern exclusions | expand |
On Mon, Mar 10, 2025 at 10:54:12AM +0800, kernel test robot wrote: > Hi Kees, > > kernel test robot noticed the following build warnings: > > [auto build test WARNING on kees/for-next/hardening] > [also build test WARNING on masahiroy-kbuild/for-next masahiroy-kbuild/fixes kees/for-next/pstore linus/master v6.14-rc6 next-20250307] > [cannot apply to kees/for-next/kspp] > [If your patch is applied to the wrong git tree, kindly drop us a note. > And when submitting patch, we suggest to use '--base' as documented in > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/ubsan-overflow-Rework-integer-overflow-sanitizer-option-to-turn-on-everything/20250307-122130 > base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening > patch link: https://lore.kernel.org/r/20250307041914.937329-1-kees%40kernel.org > patch subject: [PATCH 1/3] ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > config: s390-randconfig-r112-20250310 (https://download.01.org/0day-ci/archive/20250310/202503101035.rpwDzqYD-lkp@intel.com/config) > compiler: s390-linux-gcc (GCC) 14.2.0 > reproduce: (https://download.01.org/0day-ci/archive/20250310/202503101035.rpwDzqYD-lkp@intel.com/reproduce) > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > the same patch/commit), kindly add following tags > | Reported-by: kernel test robot <lkp@intel.com> > | Closes: https://lore.kernel.org/oe-kbuild-all/202503101035.rpwDzqYD-lkp@intel.com/ > > sparse warnings: (new ones prefixed by >>) > >> lib/test_ubsan.c:62:16: sparse: sparse: cast truncates bits from constant value (7fffffffffffffff becomes ffffffff) > lib/test_ubsan.c:72:18: sparse: sparse: shift count is negative (-1) Can we exclude certain source files from sparse? This whole file is basically an endless series of intentionally bad operations. :) -Kees > > vim +62 lib/test_ubsan.c > > 55 > 56 static void test_ubsan_truncate_signed(void) > 57 { > 58 volatile long val = LONG_MAX; > 59 volatile int val2 = 0; > 60 > 61 UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); > > 62 val2 = val; > 63 } > 64 > > -- > 0-DAY CI Kernel Test Service > https://github.com/intel/lkp-tests/wiki
On Mon, Mar 10, 2025 at 11:12:07AM -0700, Kees Cook wrote: > On Mon, Mar 10, 2025 at 10:54:12AM +0800, kernel test robot wrote: > > Hi Kees, > > > > kernel test robot noticed the following build warnings: > > > > [auto build test WARNING on kees/for-next/hardening] > > [also build test WARNING on masahiroy-kbuild/for-next masahiroy-kbuild/fixes kees/for-next/pstore linus/master v6.14-rc6 next-20250307] > > [cannot apply to kees/for-next/kspp] > > [If your patch is applied to the wrong git tree, kindly drop us a note. > > And when submitting patch, we suggest to use '--base' as documented in > > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > > > url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/ubsan-overflow-Rework-integer-overflow-sanitizer-option-to-turn-on-everything/20250307-122130 > > base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening > > patch link: https://lore.kernel.org/r/20250307041914.937329-1-kees%40kernel.org > > patch subject: [PATCH 1/3] ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > > config: s390-randconfig-r112-20250310 (https://download.01.org/0day-ci/archive/20250310/202503101035.rpwDzqYD-lkp@intel.com/config) > > compiler: s390-linux-gcc (GCC) 14.2.0 > > reproduce: (https://download.01.org/0day-ci/archive/20250310/202503101035.rpwDzqYD-lkp@intel.com/reproduce) > > > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > > the same patch/commit), kindly add following tags > > | Reported-by: kernel test robot <lkp@intel.com> > > | Closes: https://lore.kernel.org/oe-kbuild-all/202503101035.rpwDzqYD-lkp@intel.com/ > > > > sparse warnings: (new ones prefixed by >>) > > >> lib/test_ubsan.c:62:16: sparse: sparse: cast truncates bits from constant value (7fffffffffffffff becomes ffffffff) > > lib/test_ubsan.c:72:18: sparse: sparse: shift count is negative (-1) > > Can we exclude certain source files from sparse? This whole file is > basically an endless series of intentionally bad operations. :) Thanks Kees, got it, I will update the bot to handle this to exclude this file firstly from sparse. > > -Kees > > > > > vim +62 lib/test_ubsan.c > > > > 55 > > 56 static void test_ubsan_truncate_signed(void) > > 57 { > > 58 volatile long val = LONG_MAX; > > 59 volatile int val2 = 0; > > 60 > > 61 UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); > > > 62 val2 = val; > > 63 } > > 64 > > > > -- > > 0-DAY CI Kernel Test Service > > https://github.com/intel/lkp-tests/wiki > > -- > Kees Cook >
On Thu, 6 Mar 2025 at 23:19, Kees Cook <kees@kernel.org> wrote: > > Since we're going to approach integer overflow mitigation a type at a > time, we need to enable all of the associated sanitizers, and then opt > into types one at a time. > > Rename the existing "signed wrap" sanitizer to just the entire topic area: > "integer wrap". Enable the implicit integer truncation sanitizers, with > required callbacks and tests. > > Notably, this requires features (currently) only available in Clang, > so we can depend on the cc-option tests to determine availability > instead of doing version tests. > > Signed-off-by: Kees Cook <kees@kernel.org> > --- > Cc: Justin Stitt <justinstitt@google.com> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Marco Elver <elver@google.com> > Cc: Andrey Konovalov <andreyknvl@gmail.com> > Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nicolas Schier <nicolas@fjasle.eu> > Cc: Miguel Ojeda <ojeda@kernel.org> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Hao Luo <haoluo@google.com> > Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com> > Cc: linux-hardening@vger.kernel.org > Cc: kasan-dev@googlegroups.com > Cc: linux-kbuild@vger.kernel.org > --- > include/linux/compiler_types.h | 2 +- > kernel/configs/hardening.config | 2 +- > lib/Kconfig.ubsan | 23 +++++++++++------------ > lib/test_ubsan.c | 18 ++++++++++++++---- > lib/ubsan.c | 28 ++++++++++++++++++++++++++-- > lib/ubsan.h | 8 ++++++++ > scripts/Makefile.lib | 4 ++-- > scripts/Makefile.ubsan | 8 ++++++-- > 8 files changed, 69 insertions(+), 24 deletions(-) > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h > index f59393464ea7..4ad3e900bc3d 100644 > --- a/include/linux/compiler_types.h > +++ b/include/linux/compiler_types.h > @@ -360,7 +360,7 @@ struct ftrace_likely_data { > #endif > > /* Do not trap wrapping arithmetic within an annotated function. */ > -#ifdef CONFIG_UBSAN_SIGNED_WRAP > +#ifdef CONFIG_UBSAN_INTEGER_WRAP > # define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow"))) > #else > # define __signed_wrap > diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config > index 3fabb8f55ef6..dd7c32fb5ac1 100644 > --- a/kernel/configs/hardening.config > +++ b/kernel/configs/hardening.config > @@ -46,7 +46,7 @@ CONFIG_UBSAN_BOUNDS=y > # CONFIG_UBSAN_SHIFT is not set > # CONFIG_UBSAN_DIV_ZERO is not set > # CONFIG_UBSAN_UNREACHABLE is not set > -# CONFIG_UBSAN_SIGNED_WRAP is not set > +# CONFIG_UBSAN_INTEGER_WRAP is not set > # CONFIG_UBSAN_BOOL is not set > # CONFIG_UBSAN_ENUM is not set > # CONFIG_UBSAN_ALIGNMENT is not set > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index 1d4aa7a83b3a..63e5622010e0 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -116,21 +116,20 @@ config UBSAN_UNREACHABLE > This option enables -fsanitize=unreachable which checks for control > flow reaching an expected-to-be-unreachable position. > > -config UBSAN_SIGNED_WRAP > - bool "Perform checking for signed arithmetic wrap-around" > +config UBSAN_INTEGER_WRAP > + bool "Perform checking for integer arithmetic wrap-around" > default UBSAN > depends on !COMPILE_TEST > - # The no_sanitize attribute was introduced in GCC with version 8. > - depends on !CC_IS_GCC || GCC_VERSION >= 80000 > depends on $(cc-option,-fsanitize=signed-integer-overflow) > - help > - This option enables -fsanitize=signed-integer-overflow which checks > - for wrap-around of any arithmetic operations with signed integers. > - This currently performs nearly no instrumentation due to the > - kernel's use of -fno-strict-overflow which converts all would-be > - arithmetic undefined behavior into wrap-around arithmetic. Future > - sanitizer versions will allow for wrap-around checking (rather than > - exclusively undefined behavior). > + depends on $(cc-option,-fsanitize=unsigned-integer-overflow) > + depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) > + depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) Can these be in 1 cc-option? I know it might look slightly more ugly, but having 3 different ones will shell out to the compiler 3 times, which is a little less efficient. At some point it might noticeably increase the build initialization latency.
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index f59393464ea7..4ad3e900bc3d 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -360,7 +360,7 @@ struct ftrace_likely_data { #endif /* Do not trap wrapping arithmetic within an annotated function. */ -#ifdef CONFIG_UBSAN_SIGNED_WRAP +#ifdef CONFIG_UBSAN_INTEGER_WRAP # define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow"))) #else # define __signed_wrap diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index 3fabb8f55ef6..dd7c32fb5ac1 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -46,7 +46,7 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set -# CONFIG_UBSAN_SIGNED_WRAP is not set +# CONFIG_UBSAN_INTEGER_WRAP is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 1d4aa7a83b3a..63e5622010e0 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -116,21 +116,20 @@ config UBSAN_UNREACHABLE This option enables -fsanitize=unreachable which checks for control flow reaching an expected-to-be-unreachable position. -config UBSAN_SIGNED_WRAP - bool "Perform checking for signed arithmetic wrap-around" +config UBSAN_INTEGER_WRAP + bool "Perform checking for integer arithmetic wrap-around" default UBSAN depends on !COMPILE_TEST - # The no_sanitize attribute was introduced in GCC with version 8. - depends on !CC_IS_GCC || GCC_VERSION >= 80000 depends on $(cc-option,-fsanitize=signed-integer-overflow) - help - This option enables -fsanitize=signed-integer-overflow which checks - for wrap-around of any arithmetic operations with signed integers. - This currently performs nearly no instrumentation due to the - kernel's use of -fno-strict-overflow which converts all would-be - arithmetic undefined behavior into wrap-around arithmetic. Future - sanitizer versions will allow for wrap-around checking (rather than - exclusively undefined behavior). + depends on $(cc-option,-fsanitize=unsigned-integer-overflow) + depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) + depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) + help + This option enables all of the sanitizers involved in integer overflow + (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, + implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation. + This is currently limited only to the size_t type while testing and + compiler development continues. config UBSAN_BOOL bool "Perform checking for non-boolean values used as boolean" diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 5d7b10e98610..8772e5edaa4f 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -15,7 +15,7 @@ static void test_ubsan_add_overflow(void) { volatile int val = INT_MAX; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val += 2; } @@ -24,7 +24,7 @@ static void test_ubsan_sub_overflow(void) volatile int val = INT_MIN; volatile int val2 = 2; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val -= val2; } @@ -32,7 +32,7 @@ static void test_ubsan_mul_overflow(void) { volatile int val = INT_MAX / 2; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val *= 3; } @@ -40,7 +40,7 @@ static void test_ubsan_negate_overflow(void) { volatile int val = INT_MIN; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val = -val; } @@ -53,6 +53,15 @@ static void test_ubsan_divrem_overflow(void) val /= val2; } +static void test_ubsan_truncate_signed(void) +{ + volatile long val = LONG_MAX; + volatile int val2 = 0; + + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); + val2 = val; +} + static void test_ubsan_shift_out_of_bounds(void) { volatile int neg = -1, wrap = 4; @@ -127,6 +136,7 @@ static const test_ubsan_fp test_ubsan_array[] = { test_ubsan_sub_overflow, test_ubsan_mul_overflow, test_ubsan_negate_overflow, + test_ubsan_truncate_signed, test_ubsan_shift_out_of_bounds, test_ubsan_out_of_bounds, test_ubsan_load_invalid_value, diff --git a/lib/ubsan.c b/lib/ubsan.c index a1c983d148f1..cdc1d31c3821 100644 --- a/lib/ubsan.c +++ b/lib/ubsan.c @@ -44,7 +44,7 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type) case ubsan_shift_out_of_bounds: return "UBSAN: shift out of bounds"; #endif -#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_SIGNED_WRAP) +#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_INTEGER_WRAP) /* * SanitizerKind::IntegerDivideByZero and * SanitizerKind::SignedIntegerOverflow emit @@ -79,7 +79,7 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type) case ubsan_type_mismatch: return "UBSAN: type mismatch"; #endif -#ifdef CONFIG_UBSAN_SIGNED_WRAP +#ifdef CONFIG_UBSAN_INTEGER_WRAP /* * SanitizerKind::SignedIntegerOverflow emits * SanitizerHandler::AddOverflow, SanitizerHandler::SubOverflow, @@ -303,6 +303,30 @@ void __ubsan_handle_negate_overflow(void *_data, void *old_val) } EXPORT_SYMBOL(__ubsan_handle_negate_overflow); +void __ubsan_handle_implicit_conversion(void *_data, void *from_val, void *to_val) +{ + struct implicit_conversion_data *data = _data; + char from_val_str[VALUE_LENGTH]; + char to_val_str[VALUE_LENGTH]; + + if (suppress_report(&data->location)) + return; + + val_to_string(from_val_str, sizeof(from_val_str), data->from_type, from_val); + val_to_string(to_val_str, sizeof(to_val_str), data->to_type, to_val); + + ubsan_prologue(&data->location, "implicit-conversion"); + + pr_err("cannot represent %s value %s during %s %s, truncated to %s\n", + data->from_type->type_name, + from_val_str, + type_check_kinds[data->type_check_kind], + data->to_type->type_name, + to_val_str); + + ubsan_epilogue(); +} +EXPORT_SYMBOL(__ubsan_handle_implicit_conversion); void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs) { diff --git a/lib/ubsan.h b/lib/ubsan.h index 07e37d4429b4..b37e22374e77 100644 --- a/lib/ubsan.h +++ b/lib/ubsan.h @@ -62,6 +62,13 @@ struct overflow_data { struct type_descriptor *type; }; +struct implicit_conversion_data { + struct source_location location; + struct type_descriptor *from_type; + struct type_descriptor *to_type; + unsigned char type_check_kind; +}; + struct type_mismatch_data { struct source_location location; struct type_descriptor *type; @@ -142,6 +149,7 @@ void ubsan_linkage __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs) void ubsan_linkage __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs); void ubsan_linkage __ubsan_handle_negate_overflow(void *_data, void *old_val); void ubsan_linkage __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs); +void ubsan_linkage __ubsan_handle_implicit_conversion(void *_data, void *lhs, void *rhs); void ubsan_linkage __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr); void ubsan_linkage __ubsan_handle_type_mismatch_v1(void *_data, void *ptr); void ubsan_linkage __ubsan_handle_out_of_bounds(void *_data, void *index); diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index cad20f0e66ee..981d14ef9db2 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -166,8 +166,8 @@ _c_flags += $(if $(patsubst n%,, \ $(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SANITIZE)$(is-kernel-object)), \ $(CFLAGS_UBSAN)) _c_flags += $(if $(patsubst n%,, \ - $(UBSAN_SIGNED_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SIGNED_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ - $(CFLAGS_UBSAN_SIGNED_WRAP)) + $(UBSAN_INTEGER_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_INTEGER_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ + $(CFLAGS_UBSAN_INTEGER_WRAP)) endif ifeq ($(CONFIG_KCOV),y) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index b2d3b273b802..4fad9afed24c 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -14,5 +14,9 @@ ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined export CFLAGS_UBSAN := $(ubsan-cflags-y) -ubsan-signed-wrap-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow -export CFLAGS_UBSAN_SIGNED_WRAP := $(ubsan-signed-wrap-cflags-y) +ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ + -fsanitize=signed-integer-overflow \ + -fsanitize=unsigned-integer-overflow \ + -fsanitize=implicit-signed-integer-truncation \ + -fsanitize=implicit-unsigned-integer-truncation +export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y)
Since we're going to approach integer overflow mitigation a type at a time, we need to enable all of the associated sanitizers, and then opt into types one at a time. Rename the existing "signed wrap" sanitizer to just the entire topic area: "integer wrap". Enable the implicit integer truncation sanitizers, with required callbacks and tests. Notably, this requires features (currently) only available in Clang, so we can depend on the cc-option tests to determine availability instead of doing version tests. Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: Justin Stitt <justinstitt@google.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Marco Elver <elver@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nicolas Schier <nicolas@fjasle.eu> Cc: Miguel Ojeda <ojeda@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Hao Luo <haoluo@google.com> Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com> Cc: linux-hardening@vger.kernel.org Cc: kasan-dev@googlegroups.com Cc: linux-kbuild@vger.kernel.org --- include/linux/compiler_types.h | 2 +- kernel/configs/hardening.config | 2 +- lib/Kconfig.ubsan | 23 +++++++++++------------ lib/test_ubsan.c | 18 ++++++++++++++---- lib/ubsan.c | 28 ++++++++++++++++++++++++++-- lib/ubsan.h | 8 ++++++++ scripts/Makefile.lib | 4 ++-- scripts/Makefile.ubsan | 8 ++++++-- 8 files changed, 69 insertions(+), 24 deletions(-)