| Message ID | 20230302225444.never.053-kees@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ubsan: Tighten UBSAN_BOUNDS on GCC | expand |
On Thu, Mar 02, 2023 at 02:54:45PM -0800, Kees Cook wrote: > The use of -fsanitize=bounds on GCC will ignore some trailing arrays, > leaving a gap in coverage. Switch to using -fsanitize=bounds-strict to > match Clang's stricter behavior. > > Cc: Marco Elver <elver@google.com> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Nicolas Schier <nicolas@fjasle.eu> > Cc: Tom Rix <trix@redhat.com> > Cc: Josh Poimboeuf <jpoimboe@kernel.org> > Cc: Miroslav Benes <mbenes@suse.cz> > Cc: linux-kbuild@vger.kernel.org > Cc: llvm@lists.linux.dev > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > lib/Kconfig.ubsan | 54 +++++++++++++++++++++++------------------- > scripts/Makefile.ubsan | 2 +- > 2 files changed, 30 insertions(+), 26 deletions(-) > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index fd15230a703b..9d3e87a0b6d1 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -27,16 +27,27 @@ config UBSAN_TRAP > the system. For some system builders this is an acceptable > trade-off. > > -config CC_HAS_UBSAN_BOUNDS > - def_bool $(cc-option,-fsanitize=bounds) > +config CC_HAS_UBSAN_BOUNDS_STRICT > + def_bool $(cc-option,-fsanitize=bounds-strict) > + help > + The -fsanitize=bounds-strict option is only available on GCC, > + but uses the more strict handling of arrays that includes knowledge > + of flexible arrays, which is comparable to Clang's regular > + -fsanitize=bounds. > > config CC_HAS_UBSAN_ARRAY_BOUNDS > def_bool $(cc-option,-fsanitize=array-bounds) > + help > + The -fsanitize=array-bounds option is only available on Clang, > + and is actually composed of two more specific options, > + -fsanitize=array-bounds and -fsanitize=local-bounds. However, > + -fsanitize=local-bounds can only be used when trap mode is > + enabled. (See also the help for CONFIG_LOCAL_BOUNDS.) The first sentence does not read right to me, you have array-bounds twice. I think the first one wants to be just bounds? > config UBSAN_BOUNDS > bool "Perform array index bounds checking" > default UBSAN > - depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS > + depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT > help > This option enables detection of directly indexed out of bounds > array accesses, where the array size is known at compile time. > @@ -44,33 +55,26 @@ config UBSAN_BOUNDS > to the {str,mem}*cpy() family of functions (that is addressed > by CONFIG_FORTIFY_SOURCE). > > -config UBSAN_ONLY_BOUNDS > - def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS > - depends on UBSAN_BOUNDS > +config UBSAN_BOUNDS_STRICT > + def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT > help > - This is a weird case: Clang's -fsanitize=bounds includes > - -fsanitize=local-bounds, but it's trapping-only, so for > - Clang, we must use -fsanitize=array-bounds when we want > - traditional array bounds checking enabled. For GCC, we > - want -fsanitize=bounds. > + GCC's bounds sanitizer. This option is used to select the > + correct options in Makefile.ubsan. > > config UBSAN_ARRAY_BOUNDS > - def_bool CC_HAS_UBSAN_ARRAY_BOUNDS > - depends on UBSAN_BOUNDS > + def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS > + help > + Clang's array bounds sanitizer. This option is used to select > + the correct options in Makefile.ubsan. > > config UBSAN_LOCAL_BOUNDS > - bool "Perform array local bounds checking" > - depends on UBSAN_TRAP > - depends on $(cc-option,-fsanitize=local-bounds) > - help > - This option enables -fsanitize=local-bounds which traps when an > - exception/error is detected. Therefore, it may only be enabled > - with CONFIG_UBSAN_TRAP. > - > - Enabling this option detects errors due to accesses through a > - pointer that is derived from an object of a statically-known size, > - where an added offset (which may not be known statically) is > - out-of-bounds. > + def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP > + help > + This option enables Clang's -fsanitize=local-bounds which traps > + when an access through a pointer that is derived from an object > + of a statically-known size, where an added offset (which may not > + be known statically) is out-of-bounds. Since this option is > + trap-only, it depends on CONFIG_UBSAN_TRAP. > > config UBSAN_SHIFT > bool "Perform checking for bit-shift overflows" > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 7099c603ff0a..4749865c1b2c 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -2,7 +2,7 @@ > > # Enable available and selected UBSAN features. > ubsan-cflags-$(CONFIG_UBSAN_ALIGNMENT) += -fsanitize=alignment > -ubsan-cflags-$(CONFIG_UBSAN_ONLY_BOUNDS) += -fsanitize=bounds > +ubsan-cflags-$(CONFIG_UBSAN_BOUNDS_STRICT) += -fsanitize=bounds-strict > ubsan-cflags-$(CONFIG_UBSAN_ARRAY_BOUNDS) += -fsanitize=array-bounds > ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS) += -fsanitize=local-bounds > ubsan-cflags-$(CONFIG_UBSAN_SHIFT) += -fsanitize=shift > -- > 2.34.1 >
On Fri, Mar 03, 2023 at 08:44:33AM -0700, Nathan Chancellor wrote: > On Thu, Mar 02, 2023 at 02:54:45PM -0800, Kees Cook wrote: > > [...] > > config CC_HAS_UBSAN_ARRAY_BOUNDS > > def_bool $(cc-option,-fsanitize=array-bounds) > > + help > > + The -fsanitize=array-bounds option is only available on Clang, > > + and is actually composed of two more specific options, > > + -fsanitize=array-bounds and -fsanitize=local-bounds. However, > > + -fsanitize=local-bounds can only be used when trap mode is > > + enabled. (See also the help for CONFIG_LOCAL_BOUNDS.) > > The first sentence does not read right to me, you have array-bounds > twice. I think the first one wants to be just bounds? Oops, yes. I rewrote that a few times and seem to have gotten lost. I think it is better written as: Under Clang, the -fsanitize=bounds option is actually composed of two more specific options, -fsanitize=array-bounds and -fsanitize=local-bounds. However, -fsanitize=local-bounds can only be used when trap mode is enabled. (See also the help for CONFIG_LOCAL_BOUNDS.) Explicitly check for -fsanitize=array-bounds so that we can build up the options needed for UBSAN_BOUNDS with or without UBSAN_TRAP.
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index fd15230a703b..9d3e87a0b6d1 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -27,16 +27,27 @@ config UBSAN_TRAP the system. For some system builders this is an acceptable trade-off. -config CC_HAS_UBSAN_BOUNDS - def_bool $(cc-option,-fsanitize=bounds) +config CC_HAS_UBSAN_BOUNDS_STRICT + def_bool $(cc-option,-fsanitize=bounds-strict) + help + The -fsanitize=bounds-strict option is only available on GCC, + but uses the more strict handling of arrays that includes knowledge + of flexible arrays, which is comparable to Clang's regular + -fsanitize=bounds. config CC_HAS_UBSAN_ARRAY_BOUNDS def_bool $(cc-option,-fsanitize=array-bounds) + help + The -fsanitize=array-bounds option is only available on Clang, + and is actually composed of two more specific options, + -fsanitize=array-bounds and -fsanitize=local-bounds. However, + -fsanitize=local-bounds can only be used when trap mode is + enabled. (See also the help for CONFIG_LOCAL_BOUNDS.) config UBSAN_BOUNDS bool "Perform array index bounds checking" default UBSAN - depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS + depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS_STRICT help This option enables detection of directly indexed out of bounds array accesses, where the array size is known at compile time. @@ -44,33 +55,26 @@ config UBSAN_BOUNDS to the {str,mem}*cpy() family of functions (that is addressed by CONFIG_FORTIFY_SOURCE). -config UBSAN_ONLY_BOUNDS - def_bool CC_HAS_UBSAN_BOUNDS && !CC_HAS_UBSAN_ARRAY_BOUNDS - depends on UBSAN_BOUNDS +config UBSAN_BOUNDS_STRICT + def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_BOUNDS_STRICT help - This is a weird case: Clang's -fsanitize=bounds includes - -fsanitize=local-bounds, but it's trapping-only, so for - Clang, we must use -fsanitize=array-bounds when we want - traditional array bounds checking enabled. For GCC, we - want -fsanitize=bounds. + GCC's bounds sanitizer. This option is used to select the + correct options in Makefile.ubsan. config UBSAN_ARRAY_BOUNDS - def_bool CC_HAS_UBSAN_ARRAY_BOUNDS - depends on UBSAN_BOUNDS + def_bool UBSAN_BOUNDS && CC_HAS_UBSAN_ARRAY_BOUNDS + help + Clang's array bounds sanitizer. This option is used to select + the correct options in Makefile.ubsan. config UBSAN_LOCAL_BOUNDS - bool "Perform array local bounds checking" - depends on UBSAN_TRAP - depends on $(cc-option,-fsanitize=local-bounds) - help - This option enables -fsanitize=local-bounds which traps when an - exception/error is detected. Therefore, it may only be enabled - with CONFIG_UBSAN_TRAP. - - Enabling this option detects errors due to accesses through a - pointer that is derived from an object of a statically-known size, - where an added offset (which may not be known statically) is - out-of-bounds. + def_bool UBSAN_ARRAY_BOUNDS && UBSAN_TRAP + help + This option enables Clang's -fsanitize=local-bounds which traps + when an access through a pointer that is derived from an object + of a statically-known size, where an added offset (which may not + be known statically) is out-of-bounds. Since this option is + trap-only, it depends on CONFIG_UBSAN_TRAP. config UBSAN_SHIFT bool "Perform checking for bit-shift overflows" diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 7099c603ff0a..4749865c1b2c 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -2,7 +2,7 @@ # Enable available and selected UBSAN features. ubsan-cflags-$(CONFIG_UBSAN_ALIGNMENT) += -fsanitize=alignment -ubsan-cflags-$(CONFIG_UBSAN_ONLY_BOUNDS) += -fsanitize=bounds +ubsan-cflags-$(CONFIG_UBSAN_BOUNDS_STRICT) += -fsanitize=bounds-strict ubsan-cflags-$(CONFIG_UBSAN_ARRAY_BOUNDS) += -fsanitize=array-bounds ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS) += -fsanitize=local-bounds ubsan-cflags-$(CONFIG_UBSAN_SHIFT) += -fsanitize=shift
The use of -fsanitize=bounds on GCC will ignore some trailing arrays, leaving a gap in coverage. Switch to using -fsanitize=bounds-strict to match Clang's stricter behavior. Cc: Marco Elver <elver@google.com> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Nicolas Schier <nicolas@fjasle.eu> Cc: Tom Rix <trix@redhat.com> Cc: Josh Poimboeuf <jpoimboe@kernel.org> Cc: Miroslav Benes <mbenes@suse.cz> Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook <keescook@chromium.org> --- lib/Kconfig.ubsan | 54 +++++++++++++++++++++++------------------- scripts/Makefile.ubsan | 2 +- 2 files changed, 30 insertions(+), 26 deletions(-)