From: Will Deacon <will@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Elena Petrova <lenaptr@google.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Dan Carpenter <dan.carpenter@oracle.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2 1/3] ubsan: Add trap instrumentation option
Date: Mon, 16 Dec 2019 10:26:56 +0000 [thread overview]
Message-ID: <20191216102655.GA11082@willie-the-truck> (raw)
In-Reply-To: <20191121181519.28637-2-keescook@chromium.org>
Hi Kees,
On Thu, Nov 21, 2019 at 10:15:17AM -0800, Kees Cook wrote:
> The Undefined Behavior Sanitizer can operate in two modes: warning
> reporting mode via lib/ubsan.c handler calls, or trap mode, which uses
> __builtin_trap() as the handler. Using lib/ubsan.c means the kernel
> image is about 5% larger (due to all the debugging text and reporting
> structures to capture details about the warning conditions). Using the
> trap mode, the image size changes are much smaller, though at the loss
> of the "warning only" mode.
>
> In order to give greater flexibility to system builders that want
> minimal changes to image size and are prepared to deal with kernel code
> being aborted and potentially destabilizing the system, this introduces
> CONFIG_UBSAN_TRAP. The resulting image sizes comparison:
>
> text data bss dec hex filename
> 19533663 6183037 18554956 44271656 2a38828 vmlinux.stock
> 19991849 7618513 18874448 46484810 2c54d4a vmlinux.ubsan
> 19712181 6284181 18366540 44362902 2a4ec96 vmlinux.ubsan-trap
>
> CONFIG_UBSAN=y: image +4.8% (text +2.3%, data +18.9%)
> CONFIG_UBSAN_TRAP=y: image +0.2% (text +0.9%, data +1.6%)
>
> Additionally adjusts the CONFIG_UBSAN Kconfig help for clarity and
> removes the mention of non-existing boot param "ubsan_handle".
>
> Suggested-by: Elena Petrova <lenaptr@google.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> lib/Kconfig.ubsan | 22 ++++++++++++++++++----
> lib/Makefile | 2 ++
> scripts/Makefile.ubsan | 9 +++++++--
> 3 files changed, 27 insertions(+), 6 deletions(-)
>
> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
> index 0e04fcb3ab3d..9deb655838b0 100644
> --- a/lib/Kconfig.ubsan
> +++ b/lib/Kconfig.ubsan
> @@ -5,11 +5,25 @@ config ARCH_HAS_UBSAN_SANITIZE_ALL
> config UBSAN
> bool "Undefined behaviour sanity checker"
> help
> - This option enables undefined behaviour sanity checker
> + This option enables the Undefined Behaviour sanity checker.
> Compile-time instrumentation is used to detect various undefined
> - behaviours in runtime. Various types of checks may be enabled
> - via boot parameter ubsan_handle
> - (see: Documentation/dev-tools/ubsan.rst).
> + behaviours at runtime. For more details, see:
> + Documentation/dev-tools/ubsan.rst
> +
> +config UBSAN_TRAP
> + bool "On Sanitizer warnings, abort the running kernel code"
> + depends on UBSAN
> + depends on $(cc-option, -fsanitize-undefined-trap-on-error)
> + help
> + Building kernels with Sanitizer features enabled tends to grow
> + the kernel size by around 5%, due to adding all the debugging
> + text on failure paths. To avoid this, Sanitizer instrumentation
> + can just issue a trap. This reduces the kernel size overhead but
> + turns all warnings (including potentially harmless conditions)
> + into full exceptions that abort the running kernel code
> + (regardless of context, locks held, etc), which may destabilize
> + the system. For some system builders this is an acceptable
> + trade-off.
Slight nit, but I wonder if it would make sense to move all this under a
'menuconfig UBSAN' entry, so the dependencies can be dropped? Then you could
have all of the suboptions default to on and basically choose which
individual compiler options to disable based on your own preferences.
What do you think?
Will
next prev parent reply other threads:[~2019-12-16 10:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 18:15 [PATCH v2 0/3] ubsan: Split out bounds checker Kees Cook
2019-11-21 18:15 ` [PATCH v2 1/3] ubsan: Add trap instrumentation option Kees Cook
2019-12-16 10:26 ` Will Deacon [this message]
2019-12-18 0:08 ` Kees Cook
2019-11-21 18:15 ` [PATCH v2 2/3] ubsan: Split "bounds" checker from other options Kees Cook
2019-11-21 18:15 ` [PATCH v2 3/3] lkdtm/bugs: Add arithmetic overflow and array bounds checks Kees Cook
2019-11-22 9:07 ` [PATCH v2 0/3] ubsan: Split out bounds checker Dmitry Vyukov
2019-11-22 16:52 ` Kees Cook
2019-11-27 5:42 ` Kees Cook
2019-11-27 6:54 ` Dmitry Vyukov
2019-11-27 9:34 ` Dmitry Vyukov
2019-11-27 17:59 ` Kees Cook
2019-11-28 10:38 ` Dmitry Vyukov
2019-11-28 16:14 ` Qian Cai
2019-11-28 13:10 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191216102655.GA11082@willie-the-truck \
--to=will@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=dan.carpenter@oracle.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=gustavo@embeddedor.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=lenaptr@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).