From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ard Biesheuvel <ardb@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
Nathan Chancellor <natechancellor@gmail.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Marco Elver <elver@google.com>,
Randy Dunlap <rdunlap@infradead.org>,
Dmitry Vyukov <dvyukov@google.com>,
George Popescu <georgepope@android.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Peter Oberparleiter <oberpar@linux.ibm.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/4] ubsan: Move cc-option tests into Kconfig
Date: Fri, 2 Oct 2020 15:15:24 -0700 [thread overview]
Message-ID: <20201002221527.177500-2-keescook@chromium.org> (raw)
In-Reply-To: <20201002221527.177500-1-keescook@chromium.org>
Instead of doing if/endif blocks with cc-option calls in the UBSAN
Makefile, move all the tests into Kconfig and use the Makefile to
collect the results.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/lkml/CAHk-=wjPasyJrDuwDnpHJS2TuQfExwe=px-SzLeN8GFMAQJPmQ@mail.gmail.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
---
lib/Kconfig.ubsan | 48 +++++++++++++++++++++++++++++++++++++++-
scripts/Makefile.ubsan | 50 ++++++++++++++----------------------------
2 files changed, 64 insertions(+), 34 deletions(-)
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 58f8d03d037b..c0b801871e0b 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -36,10 +36,17 @@ config UBSAN_KCOV_BROKEN
See https://bugs.llvm.org/show_bug.cgi?id=45831 for the status
in newer releases.
+config CC_HAS_UBSAN_BOUNDS
+ def_bool $(cc-option,-fsanitize=bounds)
+
+config CC_HAS_UBSAN_ARRAY_BOUNDS
+ def_bool $(cc-option,-fsanitize=array-bounds)
+
config UBSAN_BOUNDS
bool "Perform array index bounds checking"
default UBSAN
depends on !UBSAN_KCOV_BROKEN
+ depends on CC_HAS_UBSAN_ARRAY_BOUNDS || CC_HAS_UBSAN_BOUNDS
help
This option enables detection of directly indexed out of bounds
array accesses, where the array size is known at compile time.
@@ -47,11 +54,17 @@ config UBSAN_BOUNDS
to the {str,mem}*cpy() family of functions (that is addressed
by CONFIG_FORTIFY_SOURCE).
+config CC_ARG_UBSAN_BOUNDS
+ string
+ default "-fsanitize=array-bounds" if CC_HAS_UBSAN_ARRAY_BOUNDS
+ default "-fsanitize=bounds"
+ depends on UBSAN_BOUNDS
+
config UBSAN_LOCAL_BOUNDS
bool "Perform array local bounds checking"
depends on UBSAN_TRAP
- depends on CC_IS_CLANG
depends on !UBSAN_KCOV_BROKEN
+ depends on $(cc-option,-fsanitize=local-bounds)
help
This option enables -fsanitize=local-bounds which traps when an
exception/error is detected. Therefore, it should be enabled only
@@ -69,6 +82,38 @@ config UBSAN_MISC
own Kconfig options. Disable this if you only want to have
individually selected checks.
+config UBSAN_SHIFT
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=shift)
+
+config UBSAN_DIV_ZERO
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=integer-divide-by-zero)
+
+config UBSAN_UNREACHABLE
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=unreachable)
+
+config UBSAN_SIGNED_OVERFLOW
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=signed-integer-overflow)
+
+config UBSAN_UNSIGNED_OVERFLOW
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
+
+config UBSAN_OBJECT_SIZE
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=object-size)
+
+config UBSAN_BOOL
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=bool)
+
+config UBSAN_ENUM
+ def_bool UBSAN_MISC
+ depends on $(cc-option,-fsanitize=enum)
+
config UBSAN_SANITIZE_ALL
bool "Enable instrumentation for the entire kernel"
depends on ARCH_HAS_UBSAN_SANITIZE_ALL
@@ -89,6 +134,7 @@ config UBSAN_ALIGNMENT
bool "Enable checks for pointers alignment"
default !HAVE_EFFICIENT_UNALIGNED_ACCESS
depends on !UBSAN_TRAP
+ depends on $(cc-option,-fsanitize=alignment)
help
This option enables the check of unaligned memory accesses.
Enabling this option on architectures that support unaligned
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
index 9716dab06bc7..72862da47baf 100644
--- a/scripts/Makefile.ubsan
+++ b/scripts/Makefile.ubsan
@@ -1,37 +1,21 @@
# SPDX-License-Identifier: GPL-2.0
-export CFLAGS_UBSAN :=
+# -fsanitize=* options makes GCC less smart than usual and
+# increases the number of 'maybe-uninitialized' false-positives.
+ubsan-cflags-$(CONFIG_UBSAN) += $(call cc-disable-warning, maybe-uninitialized)
-ifdef CONFIG_UBSAN_ALIGNMENT
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment)
-endif
+# Enable available and selected UBSAN features.
+ubsan-cflags-$(CONFIG_UBSAN_ALIGNMENT) += -fsanitize=alignment
+ubsan-cflags-$(CONFIG_UBSAN_BOUNDS) += $(CONFIG_CC_ARG_UBSAN_BOUNDS)
+ubsan-cflags-$(CONFIG_UBSAN_LOCAL_BOUNDS) += -fsanitize=local-bounds
+ubsan-cflags-$(CONFIG_UBSAN_SHIFT) += -fsanitize=shift
+ubsan-cflags-$(CONFIG_UBSAN_DIV_ZERO) += -fsanitize=integer-divide-by-zero
+ubsan-cflags-$(CONFIG_UBSAN_UNREACHABLE) += -fsanitize=unreachable
+ubsan-cflags-$(CONFIG_UBSAN_SIGNED_OVERFLOW) += -fsanitize=signed-integer-overflow
+ubsan-cflags-$(CONFIG_UBSAN_UNSIGNED_OVERFLOW) += -fsanitize=unsigned-integer-overflow
+ubsan-cflags-$(CONFIG_UBSAN_OBJECT_SIZE) += -fsanitize=object-size
+ubsan-cflags-$(CONFIG_UBSAN_BOOL) += -fsanitize=bool
+ubsan-cflags-$(CONFIG_UBSAN_ENUM) += -fsanitize=enum
+ubsan-cflags-$(CONFIG_UBSAN_TRAP) += -fsanitize-undefined-trap-on-error
-ifdef CONFIG_UBSAN_BOUNDS
- ifdef CONFIG_CC_IS_CLANG
- CFLAGS_UBSAN += -fsanitize=array-bounds
- else
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
- endif
-endif
-
-ifdef CONFIG_UBSAN_LOCAL_BOUNDS
- CFLAGS_UBSAN += -fsanitize=local-bounds
-endif
-
-ifdef CONFIG_UBSAN_MISC
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=bool)
- CFLAGS_UBSAN += $(call cc-option, -fsanitize=enum)
-endif
-
-ifdef CONFIG_UBSAN_TRAP
- CFLAGS_UBSAN += $(call cc-option, -fsanitize-undefined-trap-on-error)
-endif
-
- # -fsanitize=* options makes GCC less smart than usual and
- # increase number of 'maybe-uninitialized false-positives
- CFLAGS_UBSAN += $(call cc-option, -Wno-maybe-uninitialized)
+export CFLAGS_UBSAN := $(ubsan-cflags-y)
--
2.25.1
next prev parent reply other threads:[~2020-10-02 22:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-02 22:15 [PATCH 0/4] Clean up UBSAN Makefile Kees Cook
2020-10-02 22:15 ` Kees Cook [this message]
2020-10-04 7:08 ` [PATCH 1/4] ubsan: Move cc-option tests into Kconfig Nathan Chancellor
2020-10-06 6:01 ` Kees Cook
2020-10-02 22:15 ` [PATCH 2/4] ubsan: Disable object-size sanitizer under GCC Kees Cook
2020-10-04 7:10 ` Nathan Chancellor
2020-10-02 22:15 ` [PATCH 3/4] ubsan: Force -Wno-maybe-uninitialized only for GCC Kees Cook
2020-10-04 7:16 ` Nathan Chancellor
2020-10-06 6:03 ` Kees Cook
2020-10-02 22:15 ` [PATCH 4/4] ubsan: Disable UBSAN_TRAP for all*config Kees Cook
2020-10-04 7:16 ` Nathan Chancellor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201002221527.177500-2-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=clang-built-linux@googlegroups.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=georgepope@android.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=natechancellor@gmail.com \
--cc=ndesaulniers@google.com \
--cc=oberpar@linux.ibm.com \
--cc=rdunlap@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).