From patchwork Mon Jan 29 18:00:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536175 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4443076022 for ; Mon, 29 Jan 2024 18:00:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551249; cv=none; b=DTPHjyjKaRRpJJGRLVp+Lyd2BfT0mS2L0jlRavVMEWfvVPD6e5hpxLoVE1ytw8GAPsF45lYVLK8Cl9Y/7ATccHqmhOLXMK6nIfnkF32MuGg+NG8z1MiZ0td7FHoCDrRPtLbF+fR9PvJiIW8Fk1jvo/6RG1jXmP2srk6JlaDnCas= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551249; c=relaxed/simple; bh=yH6x7koGVyqkzXPlS5DuuMQ7rErHxIAyUsPCshZXJqo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=MctCPxCqQ42liZX3P3HxUpsi0DwWHaQRdDhdBYBJe2UxJq+dVptfziUPkoSmXeZ6y/aaMyuGp/UBDz58egStcLx3HwWYB53a1koqQyp9V3um+640M1/sLjSydYDfxVn8lSJxfkOPtmOLAgARafbxkFFbtBjVCCgR9Oa60zTg09Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=BQOUHIJz; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="BQOUHIJz" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1d8e7ebbbadso6206775ad.3 for ; Mon, 29 Jan 2024 10:00:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551247; x=1707156047; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=O9sYK7z3WbbgkknvMvwfZX35RqRNyf5Py+2kBlCGv4k=; b=BQOUHIJzk7qIgxq0A48NuWzrXBkZnfWYkpwALRhYZJsy3S4r402LiU83b3Uw9iB+W6 2fy8oiGgfNKqTNELeQr/9IPNBRKSCX8IIeqX4DQVBuGhnlr+VhJ8iuLrFyIJJpS/pbyj Uw2wIRhXe/dDzB+ZIvUMoJIxaEahmAo8HmTgE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551247; x=1707156047; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O9sYK7z3WbbgkknvMvwfZX35RqRNyf5Py+2kBlCGv4k=; b=MBWXhg8A2u7XWXVYQ6lSF1CZfpUrubFQ2pEU+wNINvo4TfQaLfubPaBYPoMyjWvSqt b7cqyuSnWSxCxpm2MwvwAk5MJsUs7OpKRVhxCbBsEVqXxNOImFZ/l5GwR3fpQl5+ItWs +L98APvcq+Puh74s16EEeSZUZ/V1rCBXS4b5SiO0468G0UL++9r5s/IILJ72KupsKfRy fL/yXc1T6byt8fchfPRGUx7Mw3cRBjGIns3w4V5/6L0DnxJqOU/mNIvKYLnOpVvtHF8v /Q5/I9BioHEABtrzOv/BvdYK1QS5mCJbiVsjP511y2wZUUiLfHpQnp72wCccVPNqZ4IE HVvA== X-Gm-Message-State: AOJu0YyC5ROqcQx5eKtLLxgZMf4KnsnpwJ/sI+H7Kivrwpc/BEp8R7zW RNQLoj9IHr3XTFymM3Yn0ArmcdUOI0cY9PJwVFhVN/Z9s2BsMmWLhVYcClKcz9yr5tdYgrgfJ6E = X-Google-Smtp-Source: AGHT+IEc+tDx6sfLTEL1mhumbCvDSbuCKsykyNGM2srfWvMprXBfegwjmTD5lvLJxAzPxS4f7WeABA== X-Received: by 2002:a17:903:451:b0:1d9:1e1:76b3 with SMTP id iw17-20020a170903045100b001d901e176b3mr199139plb.107.1706551247632; Mon, 29 Jan 2024 10:00:47 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id l4-20020a170902d04400b001d8dd45b9b1sm2374739pll.134.2024.01.29.10.00.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:47 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Fangrui Song , Nathan Chancellor , Masahiro Yamada , Nicolas Schier , Nick Desaulniers , Bill Wendling , Justin Stitt , linux-kbuild@vger.kernel.org, llvm@lists.linux.dev, Andrey Konovalov , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/6] ubsan: Use Clang's -fsanitize-trap=undefined option Date: Mon, 29 Jan 2024 10:00:38 -0800 Message-Id: <20240129180046.3774731-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1398; i=keescook@chromium.org; h=from:subject; bh=yH6x7koGVyqkzXPlS5DuuMQ7rErHxIAyUsPCshZXJqo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fKRyYbL1VJp1m0ZRn8657+TY/Q9I2OhsIfr Nhr+eEyD8qJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnygAKCRCJcvTf3G3A JvvwD/4oBxFkh5fzUJffPCV7wy9Y6k2huiVfHjonoBRkDeyjaKqfQYTecCk/CL+c+TO65fhCT+q xqSs2LGuFyyj7eOZGVYhpL+fAeyXp00kJeJ9NO48Zit8cDCVOojomAjG68UBgx7SMDH9RrcGsCW zKM1fWgaWgs6y6q25ikHsKAQ7cGyV/ccKJlhd1//ttzhOufRHmHl1LFtqGGHwgaNA3VNKoFSbJ9 Oj0pG0RrZWSc1cUZWHhw6X12fopRpJKdMPethlAGh8DSRUCH+Qp8S+c4Uvx5Kbflb28/q/w+1P/ zUabY1h1VH0yC8NAe8xOBilIj5KXfjjkMAMF02LmZMDFPbVbAfTarNEBT3anpykg4TB6OjJUpeG JnnqzvSGbO9iveLeJWaN+9nR2qFV59NSmvyvLnIMvYf3heAJYgWyf1Ac10HNTUVuyPrvlLDm7f+ rfpkI7Xd3lzR/l64/lRkqWcSDg+ZtSkQW+h1T6/5rzYkoxhC9BeJ5hl3PCuFtAgF1VmSVbnqkCE HVawUkwEyNpURWxmfTF7cmTDPpYe2V7SoUU+viFzi+mDZoSumju/sQWzFqG5usxniFDaa3H0Gse h84FxDEHMfFv3vs75+fQ00Ra4GKbQta90pHtfeZtrlf9zymnXZw60aQCN1CQRLFQL4eGd8FHP4d U4aVwGwI1l81C6w== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Clang changed the way it enables UBSan trapping mode. Update the Makefile logic to discover it. Suggested-by: Fangrui Song Link: https://lore.kernel.org/lkml/CAFP8O3JivZh+AAV7N90Nk7U2BHRNST6MRP0zHtfQ-Vj0m4+pDA@mail.gmail.com/ Cc: Nathan Chancellor Cc: Masahiro Yamada Cc: Nicolas Schier Cc: Nick Desaulniers Cc: Bill Wendling Cc: Justin Stitt Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: Fangrui Song --- scripts/Makefile.ubsan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 4749865c1b2c..7cf42231042b 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -10,6 +10,6 @@ ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO) += -fsanitize=integer-divide-by-zero ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE) += -fsanitize=unreachable ubsan-cflags-$(CONFIG_UBSAN_BOOL) += -fsanitize=bool ubsan-cflags-$(CONFIG_UBSAN_ENUM) += -fsanitize=enum -ubsan-cflags-$(CONFIG_UBSAN_TRAP) += -fsanitize-undefined-trap-on-error +ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined,-fsanitize-undefined-trap-on-error) export CFLAGS_UBSAN := $(ubsan-cflags-y) From patchwork Mon Jan 29 18:00:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536177 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 351707603A for ; Mon, 29 Jan 2024 18:00:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551252; cv=none; b=EX1E8fnFTwwirMXpi1AGrRlwjOsLJZgKWjH2+fFSUdHZrrjavtO4y3EcFFGZo46pwQv8Lt+9TxZUtBWHjH0BSIeqio9t7k+3N8U/uJlP9gGpyrJ2jHZ6yPL58Jwbfud4B8nsuq6fyZby9CCWfr0SkVO82GDJSb9cjuknn1lzhKc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551252; c=relaxed/simple; bh=81LcZge0w4D9Z3eA6B+rApaqgdau7DNMJpUzowyrc8U=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eB0ivctGgou39ndqtRGu2JK8FUn6RiG9rdhIaaxlQyZWnESmM8jPfE9UlGlD4PKzhmvM//g1Wipe38Xp7PSj4T6F6UABfy76QYn+Mvu8eabYBxEMvZXe1TbbwXjXKhSI8rirR4ETrcxwUOZLJdA4vZ9XjqmzvonEle21G0BsQtM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=ENP8xTrO; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ENP8xTrO" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-6ddce722576so1370052b3a.1 for ; Mon, 29 Jan 2024 10:00:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551249; x=1707156049; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=U/S6R7/9nVoHmk9zF9Fu8HvJ6G5Gizsl3DGB5UcgoVw=; b=ENP8xTrOM+56RJ9/yWCLd8hrOubKjLkWyMnBwI6heJecDzJBAz5UE8faH2U1MeLNS0 1RWY/qSjXbzbxTvBfZM17565qf9x7s0W7I5Dl9vP3aKXmWfZ85WBWP8ygN8NG1fHTgos 6RNoJNYopVIH795Tl35VWaY+2nkhHGim+OIzE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551249; x=1707156049; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=U/S6R7/9nVoHmk9zF9Fu8HvJ6G5Gizsl3DGB5UcgoVw=; b=EQA9lfp+mcPgyQNWpOQOd9xfIMMzD8UrKQh3Za2mNac2vxq2sFMxanjSD8Ti2za4gZ dH852B734WumgzdY4zH8JlgMugLP6sgkWQhzmiH7byoZ3QAxmo0lOOi/HEZdFjLRtd0g xn2Fb8xSi3tr/Vg17zgMyr6dirWR/u0hGQjp1NGe9h6HMkiEzooHr+McxQ6XY+N1lxa0 KLUIuGk1wlyNtFLLlr/0z+9J0VkBq34m9SuC46eIWy0jmev+ckg5OajcS7WgKFox8lmo UZi44lfVubVGfJif1nJ/EAzZ9OrFc7hwMCurW+V2XsPaVy2o2wRrUJGeZZKkkbqLML1e f6lw== X-Gm-Message-State: AOJu0YxgroA6hpywg5vdBhvnq3pGKnWkRUZVDhn4FS+U0Uad0YopcQlA YHZ8Mve5wvt/5WDA+53DvtfI8lic0pJWpc4Ll8jqL8xbyUSUqn57Ko4A/8vtdw== X-Google-Smtp-Source: AGHT+IHQnZbc4CDpc/PNRkdgODd8F3N0KDtcFJv5A+utlHT3onN/rSbzWcZBKcR5XR/Xa27nscnRug== X-Received: by 2002:aa7:8c0e:0:b0:6de:1cae:a4ed with SMTP id c14-20020aa78c0e000000b006de1caea4edmr2155450pfd.3.1706551249541; Mon, 29 Jan 2024 10:00:49 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id fb8-20020a056a002d8800b006dd8148efd8sm6085479pfb.103.2024.01.29.10.00.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:47 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Justin Stitt , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Peter Zijlstra , Hao Luo , Przemek Kitszel , Fangrui Song , Masahiro Yamada , Bill Wendling , Nicolas Schier , Andrey Konovalov , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 2/6] ubsan: Reintroduce signed and unsigned overflow sanitizers Date: Mon, 29 Jan 2024 10:00:39 -0800 Message-Id: <20240129180046.3774731-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10079; i=keescook@chromium.org; h=from:subject; bh=81LcZge0w4D9Z3eA6B+rApaqgdau7DNMJpUzowyrc8U=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fKIaVk0RDXV5BS8oDSW+Q7mjUG3v2lN2MSh eQs8Xe4ZXyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnygAKCRCJcvTf3G3A JgurD/9DkagOyEbI4a5ICzXf6tUpMVcM49hz5oafXbNgdqrn3KUYi97yfRAINw8vUqQElyK4unV Kjhojr4O1+jSBa43BSNl+D1Zj0VhtMPS8ouYh7IiM+HGKVSqzaiS20wrzmQXJyHXortxnQmRmCB VjPjHEn5dm4bcxGBfB/novnBWipLzaCS+1NzYYo7LLiEmD/uMEGI94sJUTIwWMq2ifse//x2hF9 h84ACieJ9DbmCqKLkmDc2PcUeu/PugIN1gaXjPLvghoDRZHguTDlToqUzV0Aq8FnRG0uZ4XpgnX zoZsCsLP7u9rTynKwkTuSYnHtr3pUIiDlrUs7boNnDSvIURDKbX+GiTuNeTIlZWHuPyIuonsBxZ XWoHnuDsIlw933mt1M93EAL/MhHMCTBzZ38v9XiEu0k1saFIsYC2Q7qMbk+RWkpdAWfHI2PsaTw 1qzLsWJou0+eEsJqdiIaI64dJlzPZ0KzZc7Dism8IXbbrwVtJvMiASS3i0GKn4OgFLK42Ef93Pn /Ak/DgfL4o8jf7U7iujwn/MUlZ23s0SvQ6lJPaR9qDu+znd0jf6P0SjUkAZfpUhQv6sAeMUW0qe O+zqOsjLq/E3w3kpf4M0mkYy4EZFe3uE8klYi1pKDkxRmwev2QBNVCjrrOxkzwE5fcu/oXIkrhP bQK8kza3tDlUX2g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Effectively revert commit 6aaa31aeb9cf ("ubsan: remove overflow checks"), to allow the kernel to be built with the "overflow" sanitizers again. This gives developers a chance to experiment[1][2][3] with the instrumentation again, while compilers adjust their sanitizers to deal with the impact of -fno-strict-oveflow (i.e. moving from "overflow" checking to "wrap-around" checking). Notably, the naming of the options is adjusted to use the name "WRAP" instead of "OVERFLOW". In the strictest sense, arithmetic "overflow" happens when a result exceeds the storage of the type, and is considered by the C standard and compilers to be undefined behavior for signed and pointer types (without -fno-strict-overflow). Unsigned arithmetic overflow is defined as always wrapping around. Because the kernel is built with -fno-strict-overflow, signed and pointer arithmetic is defined to always wrap around instead of "overflowing" (which could either be elided due to being undefined behavior or would wrap around, which led to very weird bugs in the kernel). So, the config options are added back as CONFIG_UBSAN_SIGNED_WRAP and CONFIG_UBSAN_UNSIGNED_WRAP. Since the kernel has several places that explicitly depend on wrap-around behavior (e.g. counters, atomics, crypto, etc), also introduce the __signed_wrap and __unsigned_wrap function attributes for annotating functions where wrapping is expected and should not be instrumented. This will allow us to distinguish in the kernel between intentional and unintentional cases of arithmetic wrap-around. Additionally keep these disabled under CONFIG_COMPILE_TEST for now. Link: https://github.com/KSPP/linux/issues/26 [1] Link: https://github.com/KSPP/linux/issues/27 [2] Link: https://github.com/KSPP/linux/issues/344 [3] Cc: Justin Stitt Cc: Miguel Ojeda Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Marco Elver Cc: Hao Luo Cc: Przemek Kitszel Signed-off-by: Kees Cook Reviewed-by: Justin Stitt --- include/linux/compiler_types.h | 14 ++++++- lib/Kconfig.ubsan | 19 ++++++++++ lib/test_ubsan.c | 49 ++++++++++++++++++++++++ lib/ubsan.c | 68 ++++++++++++++++++++++++++++++++++ lib/ubsan.h | 4 ++ scripts/Makefile.ubsan | 2 + 6 files changed, 155 insertions(+), 1 deletion(-) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 6f1ca49306d2..e585614f3152 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -282,11 +282,23 @@ struct ftrace_likely_data { #define __no_sanitize_or_inline __always_inline #endif +/* Allow wrapping arithmetic within an annotated function. */ +#ifdef CONFIG_UBSAN_SIGNED_WRAP +# define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow"))) +#else +# define __signed_wrap +#endif +#ifdef CONFIG_UBSAN_UNSIGNED_WRAP +# define __unsigned_wrap __attribute__((no_sanitize("unsigned-integer-overflow"))) +#else +# define __unsigned_wrap +#endif + /* Section for code which can't be instrumented at all */ #define __noinstr_section(section) \ noinline notrace __attribute((__section__(section))) \ __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \ - __no_sanitize_memory + __no_sanitize_memory __signed_wrap __unsigned_wrap #define noinstr __noinstr_section(".noinstr.text") diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 59e21bfec188..a7003e5bd2a1 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -116,6 +116,25 @@ config UBSAN_UNREACHABLE This option enables -fsanitize=unreachable which checks for control flow reaching an expected-to-be-unreachable position. +config UBSAN_SIGNED_WRAP + bool "Perform checking for signed arithmetic wrap-around" + default UBSAN + depends on !COMPILE_TEST + depends on $(cc-option,-fsanitize=signed-integer-overflow) + help + This option enables -fsanitize=signed-integer-overflow which checks + for wrap-around of any arithmetic operations with signed integers. + +config UBSAN_UNSIGNED_WRAP + bool "Perform checking for unsigned arithmetic wrap-around" + depends on $(cc-option,-fsanitize=unsigned-integer-overflow) + depends on !X86_32 # avoid excessive stack usage on x86-32/clang + depends on !COMPILE_TEST + help + This option enables -fsanitize=unsigned-integer-overflow which checks + for wrap-around of any arithmetic operations with unsigned integers. This + currently causes x86 to fail to boot. + config UBSAN_BOOL bool "Perform checking for non-boolean values used as boolean" default UBSAN diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 2062be1f2e80..84d8092d6c32 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -11,6 +11,51 @@ typedef void(*test_ubsan_fp)(void); #config, IS_ENABLED(config) ? "y" : "n"); \ } while (0) +static void test_ubsan_add_overflow(void) +{ + volatile int val = INT_MAX; + volatile unsigned int uval = UINT_MAX; + + UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + val += 2; + + UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP); + uval += 2; +} + +static void test_ubsan_sub_overflow(void) +{ + volatile int val = INT_MIN; + volatile unsigned int uval = 0; + volatile int val2 = 2; + + UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + val -= val2; + + UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP); + uval -= val2; +} + +static void test_ubsan_mul_overflow(void) +{ + volatile int val = INT_MAX / 2; + volatile unsigned int uval = UINT_MAX / 2; + + UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + val *= 3; + + UBSAN_TEST(CONFIG_UBSAN_UNSIGNED_WRAP); + uval *= 3; +} + +static void test_ubsan_negate_overflow(void) +{ + volatile int val = INT_MIN; + + UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + val = -val; +} + static void test_ubsan_divrem_overflow(void) { volatile int val = 16; @@ -90,6 +135,10 @@ static void test_ubsan_misaligned_access(void) } static const test_ubsan_fp test_ubsan_array[] = { + test_ubsan_add_overflow, + test_ubsan_sub_overflow, + test_ubsan_mul_overflow, + test_ubsan_negate_overflow, test_ubsan_shift_out_of_bounds, test_ubsan_out_of_bounds, test_ubsan_load_invalid_value, diff --git a/lib/ubsan.c b/lib/ubsan.c index df4f8d1354bb..5fc107f61934 100644 --- a/lib/ubsan.c +++ b/lib/ubsan.c @@ -222,6 +222,74 @@ static void ubsan_epilogue(void) check_panic_on_warn("UBSAN"); } +static void handle_overflow(struct overflow_data *data, void *lhs, + void *rhs, char op) +{ + + struct type_descriptor *type = data->type; + char lhs_val_str[VALUE_LENGTH]; + char rhs_val_str[VALUE_LENGTH]; + + if (suppress_report(&data->location)) + return; + + ubsan_prologue(&data->location, type_is_signed(type) ? + "signed-integer-overflow" : + "unsigned-integer-overflow"); + + val_to_string(lhs_val_str, sizeof(lhs_val_str), type, lhs); + val_to_string(rhs_val_str, sizeof(rhs_val_str), type, rhs); + pr_err("%s %c %s cannot be represented in type %s\n", + lhs_val_str, + op, + rhs_val_str, + type->type_name); + + ubsan_epilogue(); +} + +void __ubsan_handle_add_overflow(void *data, + void *lhs, void *rhs) +{ + + handle_overflow(data, lhs, rhs, '+'); +} +EXPORT_SYMBOL(__ubsan_handle_add_overflow); + +void __ubsan_handle_sub_overflow(void *data, + void *lhs, void *rhs) +{ + handle_overflow(data, lhs, rhs, '-'); +} +EXPORT_SYMBOL(__ubsan_handle_sub_overflow); + +void __ubsan_handle_mul_overflow(void *data, + void *lhs, void *rhs) +{ + handle_overflow(data, lhs, rhs, '*'); +} +EXPORT_SYMBOL(__ubsan_handle_mul_overflow); + +void __ubsan_handle_negate_overflow(void *_data, void *old_val) +{ + struct overflow_data *data = _data; + char old_val_str[VALUE_LENGTH]; + + if (suppress_report(&data->location)) + return; + + ubsan_prologue(&data->location, "negation-overflow"); + + val_to_string(old_val_str, sizeof(old_val_str), data->type, old_val); + + pr_err("negation of %s cannot be represented in type %s:\n", + old_val_str, data->type->type_name); + + ubsan_epilogue(); +} +EXPORT_SYMBOL(__ubsan_handle_negate_overflow); + + void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs) { struct overflow_data *data = _data; diff --git a/lib/ubsan.h b/lib/ubsan.h index 5d99ab81913b..0abbbac8700d 100644 --- a/lib/ubsan.h +++ b/lib/ubsan.h @@ -124,6 +124,10 @@ typedef s64 s_max; typedef u64 u_max; #endif +void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs); +void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs); +void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs); +void __ubsan_handle_negate_overflow(void *_data, void *old_val); void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs); void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr); void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr); diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 7cf42231042b..7b2f3d554c59 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -8,6 +8,8 @@ ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS) += -fsanitize=local-bounds ubsan-cflags-$(CONFIG_UBSAN_SHIFT) += -fsanitize=shift ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO) += -fsanitize=integer-divide-by-zero ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE) += -fsanitize=unreachable +ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow +ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP) += -fsanitize=unsigned-integer-overflow ubsan-cflags-$(CONFIG_UBSAN_BOOL) += -fsanitize=bool ubsan-cflags-$(CONFIG_UBSAN_ENUM) += -fsanitize=enum ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined,-fsanitize-undefined-trap-on-error) From patchwork Mon Jan 29 18:00:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536180 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED0AA76053 for ; Mon, 29 Jan 2024 18:00:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551254; cv=none; b=f4QqrYZKsEHii5IhoCxwyH+Y+PquSGEnfE9Z3ZoqiUcT99UZyRRWj4VxMtZdEiVJLnnfXnmai93QhgChdt8WDuK1qEl9R/NzNDx06xk1bDcXDJfRsJEiipb01RsktUCPy1wz86tj/MZUwdp8/oXQR5eCDMRJWHQxuLAJBlkbuNI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551254; c=relaxed/simple; bh=NkiEcsGlCZJdDWvQkJb/8yMO5oe0d2E5DUKWEGSWQdQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lgatlY1tX/WD++gv0aVs7kXCXSxtcTUAhiLkMriE3v2C6qSk2j7USSEPsn5S5Toq6iV24DNCi18wa//o82oGW9WEY2vrtHI548Nn+6iPBuewpiLIyyTDB0anegLj6LyiEtNK0iIjQI911LHDGyTJRmcYWRgKXQimza5v/4aTh7w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=QiA375yM; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QiA375yM" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2907a17fa34so2450288a91.1 for ; Mon, 29 Jan 2024 10:00:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551251; x=1707156051; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VqHYD682nla/ZHS426F2Ic30I1reUytKpu6/CiCUuio=; b=QiA375yMe54hIQi/k+41nBTuq7EAbaCwWBLpuBf6UKkRTjjT3+vD7P56STdmDrpvtE YeQYdkbTnZay98sdrBKFFfrV1Mkqkdb0ZAD1r5QyBB+21ygW58U4Jf/wFRy6flxRwsQZ F4o+0sDIPT7MDZChpg1FJ6AFd6Ul8s5JWFS4I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551251; x=1707156051; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VqHYD682nla/ZHS426F2Ic30I1reUytKpu6/CiCUuio=; b=Xdy2SUW1yiRn+joRxt+4hfmT3NWI+Y6MuaF3YYP8IfYiDmInQR8fyGjbfxFVJ2ENDX ksxgFzdlaT3W84YDKMau85pKHGxQeBg1Skp/XlBzkxygp9J8CPT0UbPzOwc4qegsHd8b 0WJOOQEMGI/KHEXFvY7qZIpI8x/xciEvQ89hEaUkqKQyV0Jcc/ifry6wADmth6I6v9dn +58VwKAkMWXNFr8FB1//wRLfJ6UK+/sTa0V/fSSHxcymM+23PTEpWwPI0dfXN5BilbRX lEYlEMwZ+uASMOpj7URSZZIhjQ4Szkdyoeak51X81/b6dsIeRenyWJhUP5O3eqWi0eA7 h++Q== X-Gm-Message-State: AOJu0Yy47UKBjo7tJNzem9KpRr1YsaNEzhY8SXY6lZg0y+1owcRi5nA7 sUcRQe7uYeEgguK7bv+8f7W4eVp9aVO/VVPC39Mg9GxoZ8dhHJZG1MLhzt/d0g== X-Google-Smtp-Source: AGHT+IEmS3D7+uxif1kSrOchHotI7X7olNDn9qkR3GFvV6OW2XNaBGwJD6dN03DiSLhSLaQ7Q9YJ2g== X-Received: by 2002:a17:90a:c7c3:b0:294:65c1:458b with SMTP id gf3-20020a17090ac7c300b0029465c1458bmr3840370pjb.40.1706551251130; Mon, 29 Jan 2024 10:00:51 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id j19-20020a17090a841300b00294483f38dbsm6214172pjn.9.2024.01.29.10.00.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:47 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Andrew Morton , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , linux-kbuild@vger.kernel.org, Justin Stitt , Fangrui Song , Bill Wendling , Andrey Konovalov , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 3/6] ubsan: Introduce CONFIG_UBSAN_POINTER_WRAP Date: Mon, 29 Jan 2024 10:00:40 -0800 Message-Id: <20240129180046.3774731-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6190; i=keescook@chromium.org; h=from:subject; bh=NkiEcsGlCZJdDWvQkJb/8yMO5oe0d2E5DUKWEGSWQdQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fK83ic3PPh75cmRopeu/CT8AfoDx9L/zyas Z3T4rMEfOyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnygAKCRCJcvTf3G3A JrrwD/9A9nrqjXK5FQG9dvow0AN183koCCDwTn4ZD161OCEMrBwgR+CeBm/gtWLNWVKgvtLGuGs 8pKG+FyhpdI6zS/3vjHymwD1sCFVqkJQFOUtcmBXA9goOMoS920ANwoq/w9AfNnl3a3wBlnz9Lg kuh/M92LMB87qeO9TUvAkrTPUXfcdUHMrjGprR6S/mJwgc8zKVOyY6vM9+PJ1z/nQHr+9m1aAPh UtlbvYWwoILjV9r8SpzU/30YT91l9WlVE7Co1YY5gBwBkSBdyJ4+i08RhHtMC5gzcg+N2jhbQXc BP96lmSl9Hc3GAY94rMsM9OhbTcfKbBHKyK9jWCaBlcl/ge2TtNp/UT7UBxHsQrI2+weSb+fJ46 3hmdsBg+I5tPYMSelIyeBBU9YRCSlQMKPwr9iQwyL4s8iQ32+MOau9d98cM8y7ndTiy4VW2idmu /SL2lQ3blDgkOHCvWhVkkMRa1u0TJWm2w+OhHypkzOwYeLeeXeMcoUh9e0rkby/sceU1qvlH2r9 VYmP+7ZDMl3kh9cbRKMwlYCuquzQkufW+sQ+soBxrRv3XzczvYffkIoERolZ0iCvMx3CBDzm9Ak xIUCQzh1YTh3pHbsslAmZObnmcBMa+xix+vN4Ja3Is9xc8FvPqeAjsWpPOJh3xkDdX3eXsth0B/ 1EVpfhieCRAosUQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Gain coverage for pointer wrap-around checking. Adds support for -fsanitize=pointer-overflow, and introduces the __pointer_wrap function attribute to match the signed and unsigned attributes. Also like the others, it is currently disabled under CONFIG_COMPILE_TEST. Cc: Andrew Morton Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/compiler_types.h | 7 ++++++- lib/Kconfig.ubsan | 8 ++++++++ lib/test_ubsan.c | 33 +++++++++++++++++++++++++++++++++ lib/ubsan.c | 21 +++++++++++++++++++++ lib/ubsan.h | 1 + scripts/Makefile.ubsan | 1 + 6 files changed, 70 insertions(+), 1 deletion(-) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index e585614f3152..e65ce55046fd 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -293,12 +293,17 @@ struct ftrace_likely_data { #else # define __unsigned_wrap #endif +#ifdef CONFIG_UBSAN_POINTER_WRAP +# define __pointer_wrap __attribute__((no_sanitize("pointer-overflow"))) +#else +# define __pointer_wrap +#endif /* Section for code which can't be instrumented at all */ #define __noinstr_section(section) \ noinline notrace __attribute((__section__(section))) \ __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \ - __no_sanitize_memory __signed_wrap __unsigned_wrap + __no_sanitize_memory __signed_wrap __unsigned_wrap __pointer_wrap #define noinstr __noinstr_section(".noinstr.text") diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index a7003e5bd2a1..04222a6d7fd9 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -135,6 +135,14 @@ config UBSAN_UNSIGNED_WRAP for wrap-around of any arithmetic operations with unsigned integers. This currently causes x86 to fail to boot. +config UBSAN_POINTER_WRAP + bool "Perform checking for pointer arithmetic wrap-around" + depends on !COMPILE_TEST + depends on $(cc-option,-fsanitize=pointer-overflow) + help + This option enables -fsanitize=pointer-overflow which checks + for wrap-around of any arithmetic operations with pointers. + config UBSAN_BOOL bool "Perform checking for non-boolean values used as boolean" default UBSAN diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 84d8092d6c32..1cc049b3ef34 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -56,6 +56,36 @@ static void test_ubsan_negate_overflow(void) val = -val; } +static void test_ubsan_pointer_overflow_add(void) +{ + volatile void *top = (void *)ULONG_MAX; + + UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP); + top += 2; +} + +static void test_ubsan_pointer_overflow_sub(void) +{ + volatile void *bottom = (void *)1; + + UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP); + bottom -= 3; +} + +struct ptr_wrap { + int a; + int b; +}; + +static void test_ubsan_pointer_overflow_mul(void) +{ + volatile struct ptr_wrap *half = (void *)(ULONG_MAX - 128); + volatile int bump = 128; + + UBSAN_TEST(CONFIG_UBSAN_POINTER_WRAP); + half += bump; +} + static void test_ubsan_divrem_overflow(void) { volatile int val = 16; @@ -139,6 +169,9 @@ static const test_ubsan_fp test_ubsan_array[] = { test_ubsan_sub_overflow, test_ubsan_mul_overflow, test_ubsan_negate_overflow, + test_ubsan_pointer_overflow_add, + test_ubsan_pointer_overflow_sub, + test_ubsan_pointer_overflow_mul, test_ubsan_shift_out_of_bounds, test_ubsan_out_of_bounds, test_ubsan_load_invalid_value, diff --git a/lib/ubsan.c b/lib/ubsan.c index 5fc107f61934..d49580ff6aea 100644 --- a/lib/ubsan.c +++ b/lib/ubsan.c @@ -289,6 +289,27 @@ void __ubsan_handle_negate_overflow(void *_data, void *old_val) } EXPORT_SYMBOL(__ubsan_handle_negate_overflow); +void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs) +{ + struct overflow_data *data = _data; + unsigned long before = (unsigned long)lhs; + unsigned long after = (unsigned long)rhs; + + if (suppress_report(&data->location)) + return; + + ubsan_prologue(&data->location, "pointer-overflow"); + + if (after == 0) + pr_err("overflow wrapped to NULL\n"); + else if (after < before) + pr_err("overflow wrap-around\n"); + else + pr_err("underflow wrap-around\n"); + + ubsan_epilogue(); +} +EXPORT_SYMBOL(__ubsan_handle_pointer_overflow); void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs) { diff --git a/lib/ubsan.h b/lib/ubsan.h index 0abbbac8700d..5dd27923b78b 100644 --- a/lib/ubsan.h +++ b/lib/ubsan.h @@ -128,6 +128,7 @@ void __ubsan_handle_add_overflow(void *data, void *lhs, void *rhs); void __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs); void __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs); void __ubsan_handle_negate_overflow(void *_data, void *old_val); +void __ubsan_handle_pointer_overflow(void *_data, void *lhs, void *rhs); void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs); void __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr); void __ubsan_handle_type_mismatch_v1(void *_data, void *ptr); diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 7b2f3d554c59..df4ccf063f67 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -10,6 +10,7 @@ ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO) += -fsanitize=integer-divide-by-zero ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE) += -fsanitize=unreachable ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP) += -fsanitize=unsigned-integer-overflow +ubsan-cflags-$(CONFIG_UBSAN_POINTER_WRAP) += -fsanitize=pointer-overflow ubsan-cflags-$(CONFIG_UBSAN_BOOL) += -fsanitize=bool ubsan-cflags-$(CONFIG_UBSAN_ENUM) += -fsanitize=enum ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined,-fsanitize-undefined-trap-on-error) From patchwork Mon Jan 29 18:00:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536178 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA7F576044 for ; Mon, 29 Jan 2024 18:00:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551253; cv=none; b=CkwxSRcvQoFssa1GO6UYercPkihKlEnjfKr/IvBXhuSO5cSqMFA59hxFlWBnr0HIjhbK5XUXCuPQnzJ5diHNehl9gp4I1WfGzI9ORQ2TGFWYXrGNen5nRaVTy9VjrbuZIKr1RslNh2UAkIKAaE0SuIn94gNmTN3og60b8skcleI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551253; c=relaxed/simple; bh=ChqR4pwLOMRrvI2mwMAhvrmBk7bFBrYJU+84/NDgMjc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=s8UUq3laLIbVKz/AAebGKAmqDkI8wXxSJg/mzrk06WYos15ihVBIo7iYvbSqF7gz7LhW9uM5Im799JWp48R94vRXYhea0PNzJOhwTOKnWAhZHDi2OT6NzujKkOk1O/bJ1ucblPT7gTsxN/AHzclKxMWtCWAyWMlJPPvMTIEqu9I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=eVdL6wUQ; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="eVdL6wUQ" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-295a3911af8so123893a91.1 for ; Mon, 29 Jan 2024 10:00:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551250; x=1707156050; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MZoPcgm2ExbWiklFnpgC7jG0zZ989QvpgVdI0GYP0N0=; b=eVdL6wUQn1OrJpjdli/1aJZg9sQIJTVlcOSwa8vWcj3jYynkilFbnin8s3lXHtE3wg lHTvnOZxXABCsUM5olGw7z7AgrbxHbndgBjcEvmZTmvs3/i9jecaglDPolVQfOxoUI/A j7Rpk4lKC3Wcmt8YjQLYwNzkmJoajH2u98Wp0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551250; x=1707156050; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MZoPcgm2ExbWiklFnpgC7jG0zZ989QvpgVdI0GYP0N0=; b=Da1siAoKsR9gWhXT1QmJ8zvdQcas+RA5PZGcXBHc6cLt/WSe36qw2dj1EvesZOtHtM ONAHiKiFneiWZs0BQm7QR78Y+x8kMi8h2qlb7TvaPuFdJEZnboGmu5M3kzyyKc0j2F3+ yM25g9eytEoOebZW7WBJ2UxtVnLpWzBnYfZEI/GypJhsz+LlbAl5M8wniynbfqL+waqi uPcUTfVNFjiQvldq0pqqM2UwCAnnlubk8q+PpLyTU3YEL9rounc1fR54KBgoS/ZlPNvA UDDwWGcZxT5CKHZeGFlSqQxDKWsAQfya2Lc/Y4Hu89LVsYb9mKXwUCBnPh7zFUSXcX9C dH8w== X-Gm-Message-State: AOJu0YwciTJQVFEc1B7VRKbnYLdYkqogF/LYJLEgwGbBQnty7bA1XvN2 J+2OR/pouanNcpVNtqz3G7yNpGquyKmXYhucR+0HC9o1xCWtJpqcC7pWuMXFzA== X-Google-Smtp-Source: AGHT+IFJF0hBnKPnC2NvGE/ASBC2G7DOqChpIyY5M1CvIMsaqLsisQe6MdkRA14bizZntAf3cxjpUA== X-Received: by 2002:a17:90b:fd4:b0:294:bd32:6ddf with SMTP id gd20-20020a17090b0fd400b00294bd326ddfmr2604323pjb.38.1706551249916; Mon, 29 Jan 2024 10:00:49 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id c92-20020a17090a496500b0029102d936casm9508441pjh.47.2024.01.29.10.00.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:47 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Andrey Konovalov , linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org, Justin Stitt , Fangrui Song , Nathan Chancellor , Masahiro Yamada , Bill Wendling , Nicolas Schier , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 4/6] ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL Date: Mon, 29 Jan 2024 10:00:41 -0800 Message-Id: <20240129180046.3774731-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7713; i=keescook@chromium.org; h=from:subject; bh=ChqR4pwLOMRrvI2mwMAhvrmBk7bFBrYJU+84/NDgMjc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fKFqznRoc47f8x3QBqsx9X6BtCiDiZKmRIR 0EaK8ZbstmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnygAKCRCJcvTf3G3A Jg4gEAChu+riNsR4c9zKObZSyCQUUAbASyVvN0lCOoFA0sP6wed+rAC2TyDu+UQ9leLyPsbImoA f5T1X+cih9rKYfmgsh4qZjlfZyKxDq8h7boBYb4ViPcPI6gjaK/nmcKd1p9D3kuQrosXQTOOBb0 2A9JQAchDgi8bYBAUx4bbQDrE2PN9IlNfpNOOXIEbyMaLI2tXTmLSXkHsY7Dv0j57/D5LasGpXJ dnPe7wiyx7ScZiqIXARLDMEEUmRrjXoX8M79qvy6HFDxmn6DCcaOB6lDzjfYRZk+isVvloD+JsT aTi5iL9rwJ5QyukDAL2YcLpWdugTz6w1QDIQLTtMMiPoCxSzIQrWEquf9jvKZ4YIy8/zQxtO373 24CyKH2XRFk2se/59wIyQrQEzaOK5LGmgKUhrLaXTTvvs2DISeeeQjyb0nmZsn9aI/nb+/1i8lM lMxAI6TWYY8qCyCmL+jrNeb9uxXrLKvk3jScplihgdGqY4K/5+vBbFOK1MCW96hJZy/gfzsXiJ0 Jpy1pdy3hgyvKS+DJ967EltatLdjLYjIGBEPtG3Y6ERhC+8otnnJnwR5B6aZjyvVSX8rtD5Rfwz f2SLNwQcz+SJtiDV0bohAza2wbBe7E3/+4OpLDaTRaHYrr6RCKdJD2gXQwAFautWLmw5gYdanNc ZwzHb2t7GGez9gQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 For simplicity in splitting out UBSan options into separate rules, remove CONFIG_UBSAN_SANITIZE_ALL, effectively defaulting to "y", which is how it is generally used anyway. (There are no ":= y" cases beyond where a specific file is enabled when a top-level ":= n" is in effect.) Cc: Andrey Konovalov Cc: Marco Elver Cc: linux-doc@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- Documentation/dev-tools/ubsan.rst | 28 ++++++++-------------------- arch/arm/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/mips/Kconfig | 2 +- arch/parisc/Kconfig | 2 +- arch/powerpc/Kconfig | 2 +- arch/riscv/Kconfig | 2 +- arch/s390/Kconfig | 2 +- arch/x86/Kconfig | 2 +- lib/Kconfig.ubsan | 13 +------------ scripts/Makefile.lib | 2 +- 11 files changed, 18 insertions(+), 41 deletions(-) diff --git a/Documentation/dev-tools/ubsan.rst b/Documentation/dev-tools/ubsan.rst index 2de7c63415da..e3591f8e9d5b 100644 --- a/Documentation/dev-tools/ubsan.rst +++ b/Documentation/dev-tools/ubsan.rst @@ -49,34 +49,22 @@ Report example Usage ----- -To enable UBSAN configure kernel with:: +To enable UBSAN, configure the kernel with:: - CONFIG_UBSAN=y + CONFIG_UBSAN=y -and to check the entire kernel:: - - CONFIG_UBSAN_SANITIZE_ALL=y - -To enable instrumentation for specific files or directories, add a line -similar to the following to the respective kernel Makefile: - -- For a single file (e.g. main.o):: - - UBSAN_SANITIZE_main.o := y - -- For all files in one directory:: - - UBSAN_SANITIZE := y - -To exclude files from being instrumented even if -``CONFIG_UBSAN_SANITIZE_ALL=y``, use:: +To exclude files from being instrumented use:: UBSAN_SANITIZE_main.o := n -and:: +and to exclude all targets in one directory use:: UBSAN_SANITIZE := n +When disabled for all targets, specific files can be enabled using:: + + UBSAN_SANITIZE_main.o := y + Detection of unaligned accesses controlled through the separate option - CONFIG_UBSAN_ALIGNMENT. It's off by default on architectures that support unaligned accesses (CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y). One could diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 0af6709570d1..287e62522064 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -29,7 +29,7 @@ config ARM select ARCH_HAVE_NMI_SAFE_CMPXCHG if CPU_V7 || CPU_V7M || CPU_V6K select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_KEEP_MEMBLOCK - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index aa7c1d435139..78533d1b7f35 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -107,7 +107,7 @@ config ARM64 select ARCH_WANT_LD_ORPHAN_WARN select ARCH_WANTS_NO_INSTR select ARCH_WANTS_THP_SWAP if ARM64_4K_PAGES - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARM_AMBA select ARM_ARCH_TIMER select ARM_GIC diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig index 797ae590ebdb..9750ce3e40d5 100644 --- a/arch/mips/Kconfig +++ b/arch/mips/Kconfig @@ -14,7 +14,7 @@ config MIPS select ARCH_HAS_STRNCPY_FROM_USER select ARCH_HAS_STRNLEN_USER select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_KEEP_MEMBLOCK select ARCH_USE_BUILTIN_BSWAP diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index d14ccc948a29..dbc9027ea2f4 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -12,7 +12,7 @@ config PARISC select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_STRICT_KERNEL_RWX select ARCH_HAS_STRICT_MODULE_RWX - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAS_PTE_SPECIAL select ARCH_NO_SG_CHAIN select ARCH_SUPPORTS_HUGETLBFS if PA20 diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index b9fc064d38d2..2065973e09d2 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -154,7 +154,7 @@ config PPC select ARCH_HAS_SYSCALL_WRAPPER if !SPU_BASE && !COMPAT select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST select ARCH_HAS_UACCESS_FLUSHCACHE - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAVE_NMI_SAFE_CMPXCHG select ARCH_KEEP_MEMBLOCK select ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE if PPC_RADIX_MMU diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index bffbd869a068..d824d113a02d 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -37,7 +37,7 @@ config RISCV select ARCH_HAS_STRICT_MODULE_RWX if MMU && !XIP_KERNEL select ARCH_HAS_SYSCALL_WRAPPER select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAS_VDSO_DATA select ARCH_KEEP_MEMBLOCK if ACPI select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index fe565f3a3a91..97dd25521617 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -82,7 +82,7 @@ config S390 select ARCH_HAS_STRICT_KERNEL_RWX select ARCH_HAS_STRICT_MODULE_RWX select ARCH_HAS_SYSCALL_WRAPPER - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAS_VDSO_DATA select ARCH_HAVE_NMI_SAFE_CMPXCHG select ARCH_INLINE_READ_LOCK diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5edec175b9bf..1c4c326a3640 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -100,7 +100,7 @@ config X86 select ARCH_HAS_STRICT_MODULE_RWX select ARCH_HAS_SYNC_CORE_BEFORE_USERMODE select ARCH_HAS_SYSCALL_WRAPPER - select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_UBSAN select ARCH_HAS_DEBUG_WX select ARCH_HAS_ZONE_DMA_SET if EXPERT select ARCH_HAVE_NMI_SAFE_CMPXCHG diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 04222a6d7fd9..0611120036eb 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0-only -config ARCH_HAS_UBSAN_SANITIZE_ALL +config ARCH_HAS_UBSAN bool menuconfig UBSAN @@ -169,17 +169,6 @@ config UBSAN_ALIGNMENT Enabling this option on architectures that support unaligned accesses may produce a lot of false positives. -config UBSAN_SANITIZE_ALL - bool "Enable instrumentation for the entire kernel" - depends on ARCH_HAS_UBSAN_SANITIZE_ALL - default y - help - This option activates instrumentation for the entire kernel. - If you don't enable this option, you have to explicitly specify - UBSAN_SANITIZE := y for the files/directories you want to check for UB. - Enabling this option will get kernel image size increased - significantly. - config TEST_UBSAN tristate "Module for testing for undefined behavior detection" depends on m diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index cd5b181060f1..52efc520ae4f 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -175,7 +175,7 @@ endif ifeq ($(CONFIG_UBSAN),y) _c_flags += $(if $(patsubst n%,, \ - $(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_SANITIZE)$(CONFIG_UBSAN_SANITIZE_ALL)), \ + $(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_SANITIZE)y), \ $(CFLAGS_UBSAN)) endif From patchwork Mon Jan 29 18:00:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536181 Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D031F157053 for ; Mon, 29 Jan 2024 18:00:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551256; cv=none; b=ojddnsQXdQag/Z0497RImUc2r0S3ZqOzOz334OTUCqByQd/TfnxysuEOJOcK0Z+oWmc/nfd6G8yS52kOUgzNMw2afB7esJj9sargx66NHyzq7an7shsUL3GBXU6MPC8wQ2wCxRTnr+eskSSfCsmtZ8T68bnG47Ar6Y4ZIJrj5iI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551256; c=relaxed/simple; bh=jK+D77ByRXO1IX7WwU8qUvR5ixL79v+nVqcsnlmg2d4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=t6tN4qD+LBeV++1/M3qgnR/iEao76IKv+umVhIHfmsmnZq8QW03+nQ99TxFuU4rTlOHO0KUZ7OviFO7OomFHIEwlg51e6tiD8OnsOj1PUjwF8W072skBplE3dGqiKyCLqk+gojV6Yek7iea14hH01qQ9+gIaJhHYEtuft4fFHeo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=hoaNNWyd; arc=none smtp.client-ip=209.85.215.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="hoaNNWyd" Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-5d4a1e66750so1530503a12.0 for ; Mon, 29 Jan 2024 10:00:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551253; x=1707156053; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=q2i1VCkuXMuVXp4gDavRJYrrSt5NKbgy/NVoBDThh0M=; b=hoaNNWydrTTim36PvAaBUYkg6XpExmm/AJNMQyuHIKOYHMBli1qHr21igRu3CTrqUu 3+oVsz529DLdCyuN7nJQe2DHyZYncVJuGo4dvEX5f/r94niJBdhLBd2gdlfraXNyDVs8 kFYPvVYrjd5bg8FF5HWuP5mSKdgUHC582Apas= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551253; x=1707156053; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q2i1VCkuXMuVXp4gDavRJYrrSt5NKbgy/NVoBDThh0M=; b=KN9AVwDyFiSmv/CS/Xs05je62pLAZiD1oGYEoFKF5nFVNz2hOyhNklnxI8PAv6JSRM nPE95mmkrfkjtFD+sVW7Tr7byw7lYE7JJ0jXIJR9K/Wm9gEMuDllMUv5QYydQNX3YoJD TDUdGEVyh3joHVq9V/mM4siv93lWx3QyJo3lt5GF7RYzD6vLDEzk/LZDDacT854J5bgP mLkQwwLR9s70uLNhjcBtiV39zytO4tBAwFz6z2HTezqjZ2cH+deuV0pm4yXvyvZf1Dmx ONbBasre9gajrqRN8yWcd6fDDhUiqWpyo35efZJRJs/WOKVnVgLF9psIunCAIUht8s/m Fj/Q== X-Gm-Message-State: AOJu0YwrrVn6XLyZvpR2PRP4pywlifXkinLm4ESv5vvPTjWFgXFyXbZb MFBlwMO/TfcE8G0FUtzPQNm8NDj4BLtEIFrRiNrvQODGYzteCIXuIIsb1r7I/w== X-Google-Smtp-Source: AGHT+IEFMuGN+nazKIGePnCBK93B/dcIkGpPVgGGjhO3ldJhS97s0IuMoBP3m6PSrC3bqjW/AXrG7Q== X-Received: by 2002:a17:90a:6303:b0:290:664f:b52e with SMTP id e3-20020a17090a630300b00290664fb52emr2540818pjj.38.1706551252969; Mon, 29 Jan 2024 10:00:52 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h13-20020a170902680d00b001d8fec31348sm325955plk.294.2024.01.29.10.00.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:51 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , linux-kbuild@vger.kernel.org, Justin Stitt , Fangrui Song , Bill Wendling , Andrey Konovalov , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 5/6] ubsan: Split wrapping sanitizer Makefile rules Date: Mon, 29 Jan 2024 10:00:42 -0800 Message-Id: <20240129180046.3774731-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2922; i=keescook@chromium.org; h=from:subject; bh=jK+D77ByRXO1IX7WwU8qUvR5ixL79v+nVqcsnlmg2d4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fLcstMJILdukRJsh4gmujuHAUYtz++GFAVQ hi5nayK60OJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnywAKCRCJcvTf3G3A JvEwD/9mLJX/yCioxqHFplE6Sfs88ZUCvIWUegUYyLYqmW8FZNkwvz2hvrM6bY0we9ehQA+GsLY DWrfIOOKPYfNhb3K8UFSxHoHG4yQLg3j34ztkhnJt4ft+Toj2Uvn+GK5P349nQUrYAVgyGnmUcy pkpCS7FvQQfbQNXWxaWwl94ncIAKRzcYcgCKpxbORR6xqyIUjawjtceNK4N3/uku97s221SyhOD mkfjRRfg4DjBr+h+SZMa74boc3Yn5CYHKeNm9YZVAf/MzYCKODkSG0ZvLJTkladg6gDRxCxl6Wf YXhx7Tn63ADsL9fYyZNMHLuefXcanHemLC8v8rPqn3niih4BzNKq+8VNdjqhYOmd/RQfkNDe+8+ AZ/xcu2uIO03enV0eEUuYaO3aMHYHb2k2/MWLh3N99fpivvtStuiIsfJam+PAnkrz+8s/ejwQi6 CbvYokDbBsnn7Lh859fSJlZ5TbxsZgHHXZ8lhY49nkY4X9eakeAutkx7zmROnu8glrY+8hlrTPZ x8k/60vawNSEUHGFVIFaoCYDJ3IfCMkKcfwf1J6qEG3F4Vp9O9AxrBbRbAVHx+Idngc5hzhCw+7 vQhslezHOkCFdtjb19sRFaAJItaXno6VtYCq3pR3es0iijSSI6E69Lj9FgzQmyuFVbdUF2JdyR+ gg7Rk56aU/LzPPw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 To allow for fine-grained control of where the wrapping sanitizers can be disabled, split them from the main UBSAN CFLAGS into their own set of rules. Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.lib | 9 +++++++++ scripts/Makefile.ubsan | 12 +++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index 52efc520ae4f..5ce4f4e0bc61 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -177,6 +177,15 @@ ifeq ($(CONFIG_UBSAN),y) _c_flags += $(if $(patsubst n%,, \ $(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_SANITIZE)y), \ $(CFLAGS_UBSAN)) +_c_flags += $(if $(patsubst n%,, \ + $(UBSAN_WRAP_SIGNED_$(basetarget).o)$(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_WRAP_SIGNED)$(UBSAN_SANITIZE)y), \ + $(CFLAGS_UBSAN_WRAP_SIGNED)) +_c_flags += $(if $(patsubst n%,, \ + $(UBSAN_WRAP_UNSIGNED_$(basetarget).o)$(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_WRAP_UNSIGNED)$(UBSAN_SANITIZE)y), \ + $(CFLAGS_UBSAN_WRAP_UNSIGNED)) +_c_flags += $(if $(patsubst n%,, \ + $(UBSAN_WRAP_POINTER_$(basetarget).o)$(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_WRAP_POINTER)$(UBSAN_SANITIZE)y), \ + $(CFLAGS_UBSAN_WRAP_POINTER)) endif ifeq ($(CONFIG_KCOV),y) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index df4ccf063f67..6b1e65583d6f 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -8,11 +8,17 @@ ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS) += -fsanitize=local-bounds ubsan-cflags-$(CONFIG_UBSAN_SHIFT) += -fsanitize=shift ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO) += -fsanitize=integer-divide-by-zero ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE) += -fsanitize=unreachable -ubsan-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow -ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP) += -fsanitize=unsigned-integer-overflow -ubsan-cflags-$(CONFIG_UBSAN_POINTER_WRAP) += -fsanitize=pointer-overflow ubsan-cflags-$(CONFIG_UBSAN_BOOL) += -fsanitize=bool ubsan-cflags-$(CONFIG_UBSAN_ENUM) += -fsanitize=enum ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined,-fsanitize-undefined-trap-on-error) export CFLAGS_UBSAN := $(ubsan-cflags-y) + +ubsan-wrap-signed-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow +export CFLAGS_UBSAN_WRAP_SIGNED := $(ubsan-wrap-signed-cflags-y) + +ubsan-wrap-unsigned-cflags-$(CONFIG_UBSAN_UNSIGNED_WRAP) += -fsanitize=unsigned-integer-overflow +export CFLAGS_UBSAN_WRAP_UNSIGNED := $(ubsan-wrap-unsigned-cflags-y) + +ubsan-wrap-pointer-cflags-$(CONFIG_UBSAN_POINTER_WRAP) += -fsanitize=pointer-overflow +export CFLAGS_UBSAN_WRAP_POINTER := $(ubsan-wrap-pointer-cflags-y) From patchwork Mon Jan 29 18:00:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13536179 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6268A7605C for ; Mon, 29 Jan 2024 18:00:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551254; cv=none; b=LFTawC4qdKmphyGYkpqkh3bclyjG21/GhFXwtWRPylvL52SELZz/KMYRPWdkSj8WWb/9STcFC4eZoWPIH7dyoh2Lkbj/XnxJRIwMxB2yUp9zGFWisTXgYJooeLF9yf8mFeu0z2mtzn2GBm34ZH4724+FhJhS8U1xmgFk3SHDVVI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706551254; c=relaxed/simple; bh=vyr6Rwi/L4pPWBag7CWmhgakv5Jllyh1RjY3A2J+kW0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TKdk2dqnkm9RFWv5ry7w7Ft1y/zfOEJ51lpj6/DjjAUIl9XrQUyJu6CMvfYd00bURXGq68LZF5XT5Z9uVON8krcF8KnMaxB6FjrceUuMQm9zI9SHu1y2NFTyhE3BQ12JvT47L3Ze/eAnOa1/74H80XxtRztuWVxdgmA7tbO57hE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=hqPNbxNn; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="hqPNbxNn" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-6ddc2a78829so1101321b3a.3 for ; Mon, 29 Jan 2024 10:00:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706551252; x=1707156052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OCmwNzG0gnTrnb9QgYxmIVbsupAP31DOfmkmHJeY0ek=; b=hqPNbxNndTfhQPefx6pHq3mYjF2fPySoDhhRhZvRn7OgRllIc7hLycb5b+KMyPPA1H cw9FHa0yHXRRdp5OGGXlHWMtcdYB4Yom5oYray26qKj8Ejq3ZmrKhG0FZdqPNMRZfxyT 5DBLISuER+7YuJ0mP8g1N5CHs84/2uOrTv9No= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706551252; x=1707156052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OCmwNzG0gnTrnb9QgYxmIVbsupAP31DOfmkmHJeY0ek=; b=XGDyttMXfwdno8siks/8jGnWfbhWvby1NPnIaGi4Gyv4fpZ7L+oTaMTuhGHmjxqK/J 7nvzS7wA6eWmCbO8KuGP2hfkMNIP0WzIwyB1AR+qAJABvM9mc+WUW6yJgnTH/A/BSzMl wOMp4tGgpimZ3ozqef2h6y3SF3zR79elSdRyIuBq6Diz+QO7Zm6FIzxX8KLbCKZdLOk4 8/lJLdAK0DEtAcv4iNQplUsyI4qmUsjQAkBOK0Mj2BB1Kmu3GmYbKbksXAi5LAtw8W+q D8dB3Bh7mbQtGphosQvZjDA8Jj9ZtJ4y6gRKkXLeyfU635zkLswTzdK0uF/Tk2Tp2yhN LVCA== X-Gm-Message-State: AOJu0YwnnbV6Eq/JWKPuOoq/2Te0Auw1CacIPJTI9mqpSW6g/MzvjTKm FEgXAoYK3vBzorp2ScPSzS0itu7GSfZBFtf8Oj4vsi6uUQ4sP5OOL7KyJesHyg== X-Google-Smtp-Source: AGHT+IGVjbfx+dgJA2wbD9MRyfwRvwDaPUuZ8EQ54JR12VYQ5TreN5Z+GN2o1FR+hWh1xxRLAdwFNQ== X-Received: by 2002:a05:6a00:4b84:b0:6de:144e:5adb with SMTP id ks4-20020a056a004b8400b006de144e5adbmr2032890pfb.9.1706551251690; Mon, 29 Jan 2024 10:00:51 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id ld10-20020a056a004f8a00b006ddce8e110bsm6145946pfb.128.2024.01.29.10.00.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:00:51 -0800 (PST) From: Kees Cook To: Marco Elver Cc: Kees Cook , Justin Stitt , Fangrui Song , Nathan Chancellor , Masahiro Yamada , Bill Wendling , Nicolas Schier , Andrey Konovalov , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 6/6] ubsan: Get x86_64 booting with unsigned wrap-around sanitizer Date: Mon, 29 Jan 2024 10:00:43 -0800 Message-Id: <20240129180046.3774731-6-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240129175033.work.813-kees@kernel.org> References: <20240129175033.work.813-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8826; i=keescook@chromium.org; h=from:subject; bh=vyr6Rwi/L4pPWBag7CWmhgakv5Jllyh1RjY3A2J+kW0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt+fL+5j6RyjG7DFwNYFk5rjZHC5PVhYr7Nsno 6c43/+/XJuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfnywAKCRCJcvTf3G3A JoneD/4yJSut/tjh9xof+uxlmfu6lhp6Y/pPhiztmsHBZs6eoYUT5ZgHTVbbmBCR9BsSXIWNSjP qQRttiPvGPUoWvplm6FkkD5jsTkUKrBbE+k8sSQzgTn8JGKu/zUBie2nr0Med5fXmSe/vN08qsi 6NK61jypgUeb2pM9WTX0jaw6pcbBEn4lF6k7J9JsC0x3zwePDBCvuYQnTOfPiOli9MH8sE2m7Ux CO4MSJi9o4ougznPuSqbbGqU1E66GOz7koREFMXIb1hxsiwxDRRr19kak0MRMzx3n9jgCYWfBRF vah4SUGIyPSJcpltYbg1tl1kIS0OOKXP5p26TmxyfdfDKDruPJm9VEd6FtHAPwdS/eSJxkJcuCD mVgoUmh/5fFvP0DwsamhMn+6bc9vqdGWZ/pusIr7JG/nw3jJUMeFUXwryR9STu2HBsYm8DB5lQR 4zpO3NtQnHldS7UYyRvT3efNH9qZP/0umPzlasK6u7ZfHCWAHDUV5Eed5rMtTxywEAzhyJsrLC8 y/7vEA/t4Dv/JlU0RJLd6INlXGEjCUXhx0A/U0AfUoiAm6c/JxqoU4rxP25AB28e1zYVIVpZeTV cxTMOVYc5CXqZpPKWtOY2c9MNUgfQJrWGICCS4DqqTzbGmHoULukYpOnlGBqwm07O83s0pTGgX/ lBYuk1BRX+RxxrA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 In order to get x86_64 booting with the unsigned wrap-around sanitizer, several kernel areas that depend heavily on unsigned wrap-around need to be disabled entirely (with "UBSAN_UNSIGNED_WRAP := n"). As we fine-tune the sanitizer, we can revisit these and perform finer grain annotations. Signed-off-by: Kees Cook --- arch/x86/kernel/Makefile | 1 + arch/x86/kernel/apic/Makefile | 1 + arch/x86/mm/Makefile | 1 + arch/x86/mm/pat/Makefile | 1 + crypto/Makefile | 1 + drivers/acpi/Makefile | 1 + kernel/Makefile | 1 + kernel/locking/Makefile | 1 + kernel/rcu/Makefile | 1 + kernel/sched/Makefile | 1 + lib/Kconfig.ubsan | 5 +++-- lib/Makefile | 1 + lib/crypto/Makefile | 1 + lib/crypto/mpi/Makefile | 1 + lib/zlib_deflate/Makefile | 1 + lib/zstd/Makefile | 2 ++ mm/Makefile | 1 + net/core/Makefile | 1 + net/ipv4/Makefile | 1 + 19 files changed, 22 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 0000325ab98f..de93f8b8a149 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -30,6 +30,7 @@ KASAN_SANITIZE_sev.o := n # With some compiler versions the generated code results in boot hangs, caused # by several compilation units. To be safe, disable all instrumentation. +UBSAN_WRAP_UNSIGNED := n KCSAN_SANITIZE := n KMSAN_SANITIZE_head$(BITS).o := n KMSAN_SANITIZE_nmi.o := n diff --git a/arch/x86/kernel/apic/Makefile b/arch/x86/kernel/apic/Makefile index 3bf0487cf3b7..aa97b5830b64 100644 --- a/arch/x86/kernel/apic/Makefile +++ b/arch/x86/kernel/apic/Makefile @@ -6,6 +6,7 @@ # Leads to non-deterministic coverage that is not a function of syscall inputs. # In particular, smp_apic_timer_interrupt() is called in random places. KCOV_INSTRUMENT := n +UBSAN_WRAP_UNSIGNED := n obj-$(CONFIG_X86_LOCAL_APIC) += apic.o apic_common.o apic_noop.o ipi.o vector.o init.o obj-y += hw_nmi.o diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index c80febc44cd2..7a43466d4581 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 # Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c +UBSAN_WRAP_UNSIGNED := n KCOV_INSTRUMENT_tlb.o := n KCOV_INSTRUMENT_mem_encrypt.o := n KCOV_INSTRUMENT_mem_encrypt_amd.o := n diff --git a/arch/x86/mm/pat/Makefile b/arch/x86/mm/pat/Makefile index ea464c995161..281a5786c5ea 100644 --- a/arch/x86/mm/pat/Makefile +++ b/arch/x86/mm/pat/Makefile @@ -1,4 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 +UBSAN_WRAP_UNSIGNED := n obj-y := set_memory.o memtype.o diff --git a/crypto/Makefile b/crypto/Makefile index 408f0a1f9ab9..c7b23d99e715 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -2,6 +2,7 @@ # # Cryptographic API # +UBSAN_WRAP_UNSIGNED := n obj-$(CONFIG_CRYPTO) += crypto.o crypto-y := api.o cipher.o compress.o diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile index 12ef8180d272..92a8e8563b1b 100644 --- a/drivers/acpi/Makefile +++ b/drivers/acpi/Makefile @@ -2,6 +2,7 @@ # # Makefile for the Linux ACPI interpreter # +UBSAN_WRAP_UNSIGNED := n ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT diff --git a/kernel/Makefile b/kernel/Makefile index ce105a5558fc..1b31aa19b4fb 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -2,6 +2,7 @@ # # Makefile for the linux kernel. # +UBSAN_WRAP_UNSIGNED := n obj-y = fork.o exec_domain.o panic.o \ cpu.o exit.o softirq.o resource.o \ diff --git a/kernel/locking/Makefile b/kernel/locking/Makefile index 0db4093d17b8..dd6492509596 100644 --- a/kernel/locking/Makefile +++ b/kernel/locking/Makefile @@ -2,6 +2,7 @@ # Any varying coverage in these files is non-deterministic # and is generally not a function of system call inputs. KCOV_INSTRUMENT := n +UBSAN_WRAP_UNSIGNED := n obj-y += mutex.o semaphore.o rwsem.o percpu-rwsem.o diff --git a/kernel/rcu/Makefile b/kernel/rcu/Makefile index 0cfb009a99b9..305c13042633 100644 --- a/kernel/rcu/Makefile +++ b/kernel/rcu/Makefile @@ -2,6 +2,7 @@ # Any varying coverage in these files is non-deterministic # and is generally not a function of system call inputs. KCOV_INSTRUMENT := n +UBSAN_WRAP_UNSIGNED := n ifeq ($(CONFIG_KCSAN),y) KBUILD_CFLAGS += -g -fno-omit-frame-pointer diff --git a/kernel/sched/Makefile b/kernel/sched/Makefile index 976092b7bd45..e487b0e86c2e 100644 --- a/kernel/sched/Makefile +++ b/kernel/sched/Makefile @@ -7,6 +7,7 @@ ccflags-y += $(call cc-disable-warning, unused-but-set-variable) # These files are disabled because they produce non-interesting flaky coverage # that is not a function of syscall inputs. E.g. involuntary context switches. KCOV_INSTRUMENT := n +UBSAN_WRAP_UNSIGNED := n # Disable KCSAN to avoid excessive noise and performance degradation. To avoid # false positives ensure barriers implied by sched functions are instrumented. diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 0611120036eb..54981e717355 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -132,8 +132,9 @@ config UBSAN_UNSIGNED_WRAP depends on !COMPILE_TEST help This option enables -fsanitize=unsigned-integer-overflow which checks - for wrap-around of any arithmetic operations with unsigned integers. This - currently causes x86 to fail to boot. + for wrap-around of any arithmetic operations with unsigned integers. + Given the history of C and the many common code patterns involving + unsigned wrap-around, this is a very noisy option right now. config UBSAN_POINTER_WRAP bool "Perform checking for pointer arithmetic wrap-around" diff --git a/lib/Makefile b/lib/Makefile index 6b09731d8e61..2b7c36e9291f 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -2,6 +2,7 @@ # # Makefile for some libs needed in the kernel. # +UBSAN_WRAP_UNSIGNED := n ccflags-remove-$(CONFIG_FUNCTION_TRACER) += $(CC_FLAGS_FTRACE) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 8d1446c2be71..fce88a337a53 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -1,4 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 +UBSAN_WRAP_UNSIGNED := n obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o libcryptoutils-y := memneq.o utils.o diff --git a/lib/crypto/mpi/Makefile b/lib/crypto/mpi/Makefile index 6e6ef9a34fe1..ce95653915b1 100644 --- a/lib/crypto/mpi/Makefile +++ b/lib/crypto/mpi/Makefile @@ -2,6 +2,7 @@ # # MPI multiprecision maths library (from gpg) # +UBSAN_WRAP_UNSIGNED := n obj-$(CONFIG_MPILIB) = mpi.o diff --git a/lib/zlib_deflate/Makefile b/lib/zlib_deflate/Makefile index 2622e03c0b94..5d71690554bb 100644 --- a/lib/zlib_deflate/Makefile +++ b/lib/zlib_deflate/Makefile @@ -6,6 +6,7 @@ # This is the compression code, see zlib_inflate for the # decompression code. # +UBSAN_WRAP_UNSIGNED := n obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate.o diff --git a/lib/zstd/Makefile b/lib/zstd/Makefile index 20f08c644b71..7a187cb08c1f 100644 --- a/lib/zstd/Makefile +++ b/lib/zstd/Makefile @@ -8,6 +8,8 @@ # in the COPYING file in the root directory of this source tree). # You may select, at your option, one of the above-listed licenses. # ################################################################ +UBSAN_WRAP_UNSIGNED := n + obj-$(CONFIG_ZSTD_COMPRESS) += zstd_compress.o obj-$(CONFIG_ZSTD_DECOMPRESS) += zstd_decompress.o obj-$(CONFIG_ZSTD_COMMON) += zstd_common.o diff --git a/mm/Makefile b/mm/Makefile index e4b5b75aaec9..cacbdd1a2d40 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -2,6 +2,7 @@ # # Makefile for the linux memory manager. # +UBSAN_WRAP_UNSIGNED := n KASAN_SANITIZE_slab_common.o := n KASAN_SANITIZE_slub.o := n diff --git a/net/core/Makefile b/net/core/Makefile index 821aec06abf1..501d7300da83 100644 --- a/net/core/Makefile +++ b/net/core/Makefile @@ -2,6 +2,7 @@ # # Makefile for the Linux networking core. # +UBSAN_WRAP_UNSIGNED := n obj-y := sock.o request_sock.o skbuff.o datagram.o stream.o scm.o \ gen_stats.o gen_estimator.o net_namespace.o secure_seq.o \ diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile index ec36d2ec059e..c738d463bb7e 100644 --- a/net/ipv4/Makefile +++ b/net/ipv4/Makefile @@ -2,6 +2,7 @@ # # Makefile for the Linux TCP/IP (INET) layer. # +UBSAN_WRAP_UNSIGNED := n obj-y := route.o inetpeer.o protocol.o \ ip_input.o ip_fragment.o ip_forward.o ip_options.o \