From: Marco Elver <elver@google.com>
To: George-Aurelian Popescu <georgepope@google.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
Nathan Chancellor <natechancellor@gmail.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dmitry Vyukov <dvyukov@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Arnd Bergmann <arnd@arndb.de>,
LKML <linux-kernel@vger.kernel.org>,
clang-built-linux <clang-built-linux@googlegroups.com>,
David Brazdil <dbrazdil@google.com>,
George Popescu <georgepope@android.com>
Subject: Re: [PATCH] ubsan: introducing CONFIG_UBSAN_LOCAL_BOUNDS for Clang
Date: Mon, 21 Sep 2020 11:10:21 +0200 [thread overview]
Message-ID: <CANpmjNO8YNROJsOj+n=hWj=2-LqebBQdZRks1KKQ3Scd05fLjg@mail.gmail.com> (raw)
In-Reply-To: <20200921075131.1334333-1-georgepope@google.com>
On Mon, 21 Sep 2020 at 09:51, George-Aurelian Popescu
<georgepope@google.com> wrote:
>
> From: George Popescu <georgepope@android.com>
>
> When the kernel is compiled with Clang, -fsanitize=bounds expands to
> -fsanitize=array-bounds and -fsanitize=local-bounds.
>
> Enabling -fsanitize=local-bounds with Clang has the unfortunate
> side-effect of inserting traps; this goes back to its original intent,
> which was as a hardening and not a debugging feature [1]. The same feature
> made its way into -fsanitize=bounds, but the traps remained. For that
> reason, -fsanitize=bounds was split into 'array-bounds' and
> 'local-bounds' [2].
>
> Since 'local-bounds' doesn't behave like a normal sanitizer, enable
> it with Clang only if trapping behaviour was requested by
> CONFIG_UBSAN_TRAP=y.
>
> Add the UBSAN_LOCAL_BOUNDS config to Kconfig.ubsan to enable the
> 'local-bounds' option by default when UBSAN_TRAP is enabled.
>
> [1] http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html
> [2] http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html
>
> Suggested-by: Marco Elver <elver@google.com>
> Reviewed-by: David Brazdil <dbrazdil@google.com>
> Signed-off-by: George Popescu <georgepope@android.com>
Reviewed-by: Marco Elver <elver@google.com>
Thank you!
> ---
> v1: changed the name of the config to UBSAN_LOCAL_BOUNDS in Kconfig
This version is v2, so this should have said "v2: <summary of what
changed>". The subject should have said "PATCH v2" (you can get this
by passing --reroll-count=2 to git).
(I also see you fixed the the Signed-off-by/From inconsistency.)
> ---
> ---
> lib/Kconfig.ubsan | 14 ++++++++++++++
> scripts/Makefile.ubsan | 10 +++++++++-
> 2 files changed, 23 insertions(+), 1 deletion(-)
>
> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
> index 774315de555a..58f8d03d037b 100644
> --- a/lib/Kconfig.ubsan
> +++ b/lib/Kconfig.ubsan
> @@ -47,6 +47,20 @@ config UBSAN_BOUNDS
> to the {str,mem}*cpy() family of functions (that is addressed
> by CONFIG_FORTIFY_SOURCE).
>
> +config UBSAN_LOCAL_BOUNDS
> + bool "Perform array local bounds checking"
> + depends on UBSAN_TRAP
> + depends on CC_IS_CLANG
> + depends on !UBSAN_KCOV_BROKEN
> + help
> + This option enables -fsanitize=local-bounds which traps when an
> + exception/error is detected. Therefore, it should be enabled only
> + if trapping is expected.
> + Enabling this option detects errors due to accesses through a
> + pointer that is derived from an object of a statically-known size,
> + where an added offset (which may not be known statically) is
> + out-of-bounds.
> +
> config UBSAN_MISC
> bool "Enable all other Undefined Behavior sanity checks"
> default UBSAN
> diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
> index 27348029b2b8..4e3fff0745e8 100644
> --- a/scripts/Makefile.ubsan
> +++ b/scripts/Makefile.ubsan
> @@ -4,7 +4,15 @@ ifdef CONFIG_UBSAN_ALIGNMENT
> endif
>
> ifdef CONFIG_UBSAN_BOUNDS
> - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
> + ifdef CONFIG_CC_IS_CLANG
> + CFLAGS_UBSAN += -fsanitize=array-bounds
> + else
> + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
> + endif
> +endif
> +
> +ifdef CONFIG_UBSAN_LOCAL_BOUNDS
> + CFLAGS_UBSAN += -fsanitize=local-bounds
> endif
>
> ifdef CONFIG_UBSAN_MISC
> --
> 2.28.0.681.g6f77f65b4e-goog
>
next prev parent reply other threads:[~2020-09-21 9:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 7:51 [PATCH] ubsan: introducing CONFIG_UBSAN_LOCAL_BOUNDS for Clang George-Aurelian Popescu
2020-09-21 9:10 ` Marco Elver [this message]
2020-09-21 15:45 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANpmjNO8YNROJsOj+n=hWj=2-LqebBQdZRks1KKQ3Scd05fLjg@mail.gmail.com' \
--to=elver@google.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=clang-built-linux@googlegroups.com \
--cc=dbrazdil@google.com \
--cc=dvyukov@google.com \
--cc=georgepope@android.com \
--cc=georgepope@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=natechancellor@gmail.com \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.