From: Kees Cook <keescook@chromium.org>
To: linux-hardening@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
x86@kernel.org, netdev@vger.kernel.org,
linux-crypto@vger.kernel.org, Fangrui Song <maskray@google.com>,
Justin Stitt <justinstitt@google.com>,
Nathan Chancellor <nathan@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Nicolas Schier <nicolas@fjasle.eu>,
Bill Wendling <morbo@google.com>, Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
llvm@lists.linux.dev, linux-doc@vger.kernel.org,
kasan-dev@googlegroups.com, linux-acpi@vger.kernel.org
Subject: [PATCH v2 6/6] ubsan: Get x86_64 booting with unsigned wrap-around sanitizer
Date: Fri, 2 Feb 2024 02:16:39 -0800 [thread overview]
Message-ID: <20240202101642.156588-6-keescook@chromium.org> (raw)
In-Reply-To: <20240202101311.it.893-kees@kernel.org>
In order to get x86_64 booting at all with the unsigned wrap-around
sanitizer, instrumentation needs to be disabled entirely for several
kernel areas that depend heavily on unsigned wrap-around. As we fine-tune
the sanitizer, we can revisit these and perform finer grain annotations.
The boot is still extremely noisy, but gets us to a common point where
we can continue experimenting with the sanitizer.
Cc: x86@kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/apic/Makefile | 1 +
arch/x86/mm/Makefile | 1 +
arch/x86/mm/pat/Makefile | 1 +
crypto/Makefile | 1 +
drivers/acpi/Makefile | 1 +
kernel/Makefile | 1 +
kernel/locking/Makefile | 1 +
kernel/rcu/Makefile | 1 +
kernel/sched/Makefile | 1 +
lib/Kconfig.ubsan | 5 +++--
lib/Makefile | 1 +
lib/crypto/Makefile | 1 +
lib/crypto/mpi/Makefile | 1 +
lib/zlib_deflate/Makefile | 1 +
lib/zstd/Makefile | 2 ++
mm/Makefile | 1 +
net/core/Makefile | 1 +
net/ipv4/Makefile | 1 +
19 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 0000325ab98f..de93f8b8a149 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -30,6 +30,7 @@ KASAN_SANITIZE_sev.o := n
# With some compiler versions the generated code results in boot hangs, caused
# by several compilation units. To be safe, disable all instrumentation.
+UBSAN_WRAP_UNSIGNED := n
KCSAN_SANITIZE := n
KMSAN_SANITIZE_head$(BITS).o := n
KMSAN_SANITIZE_nmi.o := n
diff --git a/arch/x86/kernel/apic/Makefile b/arch/x86/kernel/apic/Makefile
index 3bf0487cf3b7..aa97b5830b64 100644
--- a/arch/x86/kernel/apic/Makefile
+++ b/arch/x86/kernel/apic/Makefile
@@ -6,6 +6,7 @@
# Leads to non-deterministic coverage that is not a function of syscall inputs.
# In particular, smp_apic_timer_interrupt() is called in random places.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n
obj-$(CONFIG_X86_LOCAL_APIC) += apic.o apic_common.o apic_noop.o ipi.o vector.o init.o
obj-y += hw_nmi.o
diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
index c80febc44cd2..7a43466d4581 100644
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
@@ -1,5 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
# Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c
+UBSAN_WRAP_UNSIGNED := n
KCOV_INSTRUMENT_tlb.o := n
KCOV_INSTRUMENT_mem_encrypt.o := n
KCOV_INSTRUMENT_mem_encrypt_amd.o := n
diff --git a/arch/x86/mm/pat/Makefile b/arch/x86/mm/pat/Makefile
index ea464c995161..281a5786c5ea 100644
--- a/arch/x86/mm/pat/Makefile
+++ b/arch/x86/mm/pat/Makefile
@@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
+UBSAN_WRAP_UNSIGNED := n
obj-y := set_memory.o memtype.o
diff --git a/crypto/Makefile b/crypto/Makefile
index 408f0a1f9ab9..c7b23d99e715 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,6 +2,7 @@
#
# Cryptographic API
#
+UBSAN_WRAP_UNSIGNED := n
obj-$(CONFIG_CRYPTO) += crypto.o
crypto-y := api.o cipher.o compress.o
diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
index 12ef8180d272..92a8e8563b1b 100644
--- a/drivers/acpi/Makefile
+++ b/drivers/acpi/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux ACPI interpreter
#
+UBSAN_WRAP_UNSIGNED := n
ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
diff --git a/kernel/Makefile b/kernel/Makefile
index ce105a5558fc..1b31aa19b4fb 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the linux kernel.
#
+UBSAN_WRAP_UNSIGNED := n
obj-y = fork.o exec_domain.o panic.o \
cpu.o exit.o softirq.o resource.o \
diff --git a/kernel/locking/Makefile b/kernel/locking/Makefile
index 0db4093d17b8..dd6492509596 100644
--- a/kernel/locking/Makefile
+++ b/kernel/locking/Makefile
@@ -2,6 +2,7 @@
# Any varying coverage in these files is non-deterministic
# and is generally not a function of system call inputs.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n
obj-y += mutex.o semaphore.o rwsem.o percpu-rwsem.o
diff --git a/kernel/rcu/Makefile b/kernel/rcu/Makefile
index 0cfb009a99b9..305c13042633 100644
--- a/kernel/rcu/Makefile
+++ b/kernel/rcu/Makefile
@@ -2,6 +2,7 @@
# Any varying coverage in these files is non-deterministic
# and is generally not a function of system call inputs.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n
ifeq ($(CONFIG_KCSAN),y)
KBUILD_CFLAGS += -g -fno-omit-frame-pointer
diff --git a/kernel/sched/Makefile b/kernel/sched/Makefile
index 976092b7bd45..e487b0e86c2e 100644
--- a/kernel/sched/Makefile
+++ b/kernel/sched/Makefile
@@ -7,6 +7,7 @@ ccflags-y += $(call cc-disable-warning, unused-but-set-variable)
# These files are disabled because they produce non-interesting flaky coverage
# that is not a function of syscall inputs. E.g. involuntary context switches.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n
# Disable KCSAN to avoid excessive noise and performance degradation. To avoid
# false positives ensure barriers implied by sched functions are instrumented.
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 0611120036eb..54981e717355 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -132,8 +132,9 @@ config UBSAN_UNSIGNED_WRAP
depends on !COMPILE_TEST
help
This option enables -fsanitize=unsigned-integer-overflow which checks
- for wrap-around of any arithmetic operations with unsigned integers. This
- currently causes x86 to fail to boot.
+ for wrap-around of any arithmetic operations with unsigned integers.
+ Given the history of C and the many common code patterns involving
+ unsigned wrap-around, this is a very noisy option right now.
config UBSAN_POINTER_WRAP
bool "Perform checking for pointer arithmetic wrap-around"
diff --git a/lib/Makefile b/lib/Makefile
index bc36a5c167db..f68385b69247 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for some libs needed in the kernel.
#
+UBSAN_WRAP_UNSIGNED := n
ccflags-remove-$(CONFIG_FUNCTION_TRACER) += $(CC_FLAGS_FTRACE)
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 8d1446c2be71..fce88a337a53 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
+UBSAN_WRAP_UNSIGNED := n
obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o
libcryptoutils-y := memneq.o utils.o
diff --git a/lib/crypto/mpi/Makefile b/lib/crypto/mpi/Makefile
index 6e6ef9a34fe1..ce95653915b1 100644
--- a/lib/crypto/mpi/Makefile
+++ b/lib/crypto/mpi/Makefile
@@ -2,6 +2,7 @@
#
# MPI multiprecision maths library (from gpg)
#
+UBSAN_WRAP_UNSIGNED := n
obj-$(CONFIG_MPILIB) = mpi.o
diff --git a/lib/zlib_deflate/Makefile b/lib/zlib_deflate/Makefile
index 2622e03c0b94..5d71690554bb 100644
--- a/lib/zlib_deflate/Makefile
+++ b/lib/zlib_deflate/Makefile
@@ -6,6 +6,7 @@
# This is the compression code, see zlib_inflate for the
# decompression code.
#
+UBSAN_WRAP_UNSIGNED := n
obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate.o
diff --git a/lib/zstd/Makefile b/lib/zstd/Makefile
index 20f08c644b71..7a187cb08c1f 100644
--- a/lib/zstd/Makefile
+++ b/lib/zstd/Makefile
@@ -8,6 +8,8 @@
# in the COPYING file in the root directory of this source tree).
# You may select, at your option, one of the above-listed licenses.
# ################################################################
+UBSAN_WRAP_UNSIGNED := n
+
obj-$(CONFIG_ZSTD_COMPRESS) += zstd_compress.o
obj-$(CONFIG_ZSTD_DECOMPRESS) += zstd_decompress.o
obj-$(CONFIG_ZSTD_COMMON) += zstd_common.o
diff --git a/mm/Makefile b/mm/Makefile
index e4b5b75aaec9..cacbdd1a2d40 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the linux memory manager.
#
+UBSAN_WRAP_UNSIGNED := n
KASAN_SANITIZE_slab_common.o := n
KASAN_SANITIZE_slub.o := n
diff --git a/net/core/Makefile b/net/core/Makefile
index 821aec06abf1..501d7300da83 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux networking core.
#
+UBSAN_WRAP_UNSIGNED := n
obj-y := sock.o request_sock.o skbuff.o datagram.o stream.o scm.o \
gen_stats.o gen_estimator.o net_namespace.o secure_seq.o \
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index ec36d2ec059e..c738d463bb7e 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux TCP/IP (INET) layer.
#
+UBSAN_WRAP_UNSIGNED := n
obj-y := route.o inetpeer.o protocol.o \
ip_input.o ip_fragment.o ip_forward.o ip_options.o \
--
2.34.1
prev parent reply other threads:[~2024-02-02 10:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-02 10:16 [PATCH v2 0/6] ubsan: Introduce wrap-around sanitizers Kees Cook
2024-02-02 10:16 ` [PATCH v2 1/6] ubsan: Use Clang's -fsanitize-trap=undefined option Kees Cook
2024-02-02 10:16 ` [PATCH v2 2/6] ubsan: Reintroduce signed and unsigned overflow sanitizers Kees Cook
2024-02-02 11:01 ` Marco Elver
2024-02-02 12:17 ` Kees Cook
2024-02-02 13:44 ` Marco Elver
2024-02-02 16:08 ` Miguel Ojeda
2024-02-02 10:16 ` [PATCH v2 3/6] ubsan: Introduce CONFIG_UBSAN_POINTER_WRAP Kees Cook
2024-02-02 10:16 ` [PATCH v2 4/6] ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL Kees Cook
2024-02-02 10:16 ` [PATCH v2 5/6] ubsan: Split wrapping sanitizer Makefile rules Kees Cook
2024-02-02 10:16 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240202101642.156588-6-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=andreyknvl@gmail.com \
--cc=corbet@lwn.net \
--cc=elver@google.com \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=maskray@google.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nicolas@fjasle.eu \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.