From patchwork Fri Mar 7 04:19:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 14005893 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D7E4DDBE; Fri, 7 Mar 2025 04:19:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; cv=none; b=Yea1MAKBv+AlhBiDMXtgCIF4+qjdQ2YLPu2DyWYpcl03GBjiju4lj0YmeGvoxQuJG3jGmTC+q/JOLdsrTczzWSZkaIrIuxD7UtpRkTKGQ6hrBOUdNIceOaDn2UD6lm3A+jyvlVGZCJwOnwB2eIorFEtJtCW0F3QdyC/rY5kdudg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; c=relaxed/simple; bh=jF2FPa66QDBZ6tSBhJch3R++EPhCPpvxAmCZwq5WTIw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=m/fMGHbV+29p1xSMtzwMgQ+7ZNs3ai3UmCoqTx4pUJ+6oTAK5VSWAC9Ww7RGcEsnCyvAEtGVO0v+xMQsAmfCWwOlPAp2aqtHYMIx5HA138duilrX/pjzSCN26sRYwNa9CKYRC3BOAgvHoJyuxqNsnRDRzf67GnupI1x4CV354V4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=m7xtot/L; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="m7xtot/L" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D534FC4CED1; Fri, 7 Mar 2025 04:19:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1741321157; bh=jF2FPa66QDBZ6tSBhJch3R++EPhCPpvxAmCZwq5WTIw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m7xtot/Lt0LFY7vihSIgRz8bcjTz7WSNfg5W1XcUjFau17R9AfuIo7lUyNIaOY/AZ ixRzMmH8/hYnFeqSv5W1CUjBgE8+7GFvwYuO6Awqk4fg1UuqCtJsN7ZWMsQr20waxF 20Ui6g74C39OxdprXojVr32xwUsKVdXLbT+vXT9BH+xKP/iRb/vOD6CfDr1JZab9gv xAYZlXqAnigjOZuluwXgziWhVs5iTQPeIay24TnTwOrCRpJiJ7rUE2uy5sPLypwyIU fY1IJ4IzMEpeVxCElrrNr6qut8AKQr+PzygyUisotp7UFkF8/6QOZp2OVqku/6FjwB mPB0WhuusaTCg== From: Kees Cook To: Justin Stitt Cc: Kees Cook , "Gustavo A. R. Silva" , Andrew Morton , Marco Elver , Andrey Konovalov , Andrey Ryabinin , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , Miguel Ojeda , Nick Desaulniers , Hao Luo , Przemek Kitszel , linux-hardening@vger.kernel.org, kasan-dev@googlegroups.com, linux-kbuild@vger.kernel.org, Bill Wendling , Jakub Kicinski , Tony Ambardar , Alexander Potapenko , Jan Hendrik Farr , Alexander Lobakin , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 1/3] ubsan/overflow: Rework integer overflow sanitizer option to turn on everything Date: Thu, 6 Mar 2025 20:19:09 -0800 Message-Id: <20250307041914.937329-1-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250307040948.work.791-kees@kernel.org> References: <20250307040948.work.791-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kbuild@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=10875; i=kees@kernel.org; h=from:subject; bh=jF2FPa66QDBZ6tSBhJch3R++EPhCPpvxAmCZwq5WTIw=; b=owGbwMvMwCVmps19z/KJym7G02pJDOmnivc12DiqfHFzPZRQcErs48W+2m9Cyv4Tqp5zrr/fE 1J91LW/o5SFQYyLQVZMkSXIzj3OxeNte7j7XEWYOaxMIEMYuDgFYCKiogx/ZaobtZWP7PLMvcjF 5HpCa1HFJI8XFWUa7Y/SHQ8f2n1uLSPDu8uvpurGVdn6TmVZl7DO2M5AM6siZc1yt77EI59ytqg zAAA= X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Since we're going to approach integer overflow mitigation a type at a time, we need to enable all of the associated sanitizers, and then opt into types one at a time. Rename the existing "signed wrap" sanitizer to just the entire topic area: "integer wrap". Enable the implicit integer truncation sanitizers, with required callbacks and tests. Notably, this requires features (currently) only available in Clang, so we can depend on the cc-option tests to determine availability instead of doing version tests. Signed-off-by: Kees Cook --- Cc: Justin Stitt Cc: "Gustavo A. R. Silva" Cc: Andrew Morton Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: Miguel Ojeda Cc: Nick Desaulniers Cc: Hao Luo Cc: Przemek Kitszel Cc: linux-hardening@vger.kernel.org Cc: kasan-dev@googlegroups.com Cc: linux-kbuild@vger.kernel.org --- include/linux/compiler_types.h | 2 +- kernel/configs/hardening.config | 2 +- lib/Kconfig.ubsan | 23 +++++++++++------------ lib/test_ubsan.c | 18 ++++++++++++++---- lib/ubsan.c | 28 ++++++++++++++++++++++++++-- lib/ubsan.h | 8 ++++++++ scripts/Makefile.lib | 4 ++-- scripts/Makefile.ubsan | 8 ++++++-- 8 files changed, 69 insertions(+), 24 deletions(-) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index f59393464ea7..4ad3e900bc3d 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -360,7 +360,7 @@ struct ftrace_likely_data { #endif /* Do not trap wrapping arithmetic within an annotated function. */ -#ifdef CONFIG_UBSAN_SIGNED_WRAP +#ifdef CONFIG_UBSAN_INTEGER_WRAP # define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow"))) #else # define __signed_wrap diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index 3fabb8f55ef6..dd7c32fb5ac1 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -46,7 +46,7 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_SHIFT is not set # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set -# CONFIG_UBSAN_SIGNED_WRAP is not set +# CONFIG_UBSAN_INTEGER_WRAP is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 1d4aa7a83b3a..63e5622010e0 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -116,21 +116,20 @@ config UBSAN_UNREACHABLE This option enables -fsanitize=unreachable which checks for control flow reaching an expected-to-be-unreachable position. -config UBSAN_SIGNED_WRAP - bool "Perform checking for signed arithmetic wrap-around" +config UBSAN_INTEGER_WRAP + bool "Perform checking for integer arithmetic wrap-around" default UBSAN depends on !COMPILE_TEST - # The no_sanitize attribute was introduced in GCC with version 8. - depends on !CC_IS_GCC || GCC_VERSION >= 80000 depends on $(cc-option,-fsanitize=signed-integer-overflow) - help - This option enables -fsanitize=signed-integer-overflow which checks - for wrap-around of any arithmetic operations with signed integers. - This currently performs nearly no instrumentation due to the - kernel's use of -fno-strict-overflow which converts all would-be - arithmetic undefined behavior into wrap-around arithmetic. Future - sanitizer versions will allow for wrap-around checking (rather than - exclusively undefined behavior). + depends on $(cc-option,-fsanitize=unsigned-integer-overflow) + depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) + depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) + help + This option enables all of the sanitizers involved in integer overflow + (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, + implicit-signed-integer-truncation, and implicit-unsigned-integer-truncation. + This is currently limited only to the size_t type while testing and + compiler development continues. config UBSAN_BOOL bool "Perform checking for non-boolean values used as boolean" diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 5d7b10e98610..8772e5edaa4f 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -15,7 +15,7 @@ static void test_ubsan_add_overflow(void) { volatile int val = INT_MAX; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val += 2; } @@ -24,7 +24,7 @@ static void test_ubsan_sub_overflow(void) volatile int val = INT_MIN; volatile int val2 = 2; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val -= val2; } @@ -32,7 +32,7 @@ static void test_ubsan_mul_overflow(void) { volatile int val = INT_MAX / 2; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val *= 3; } @@ -40,7 +40,7 @@ static void test_ubsan_negate_overflow(void) { volatile int val = INT_MIN; - UBSAN_TEST(CONFIG_UBSAN_SIGNED_WRAP); + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); val = -val; } @@ -53,6 +53,15 @@ static void test_ubsan_divrem_overflow(void) val /= val2; } +static void test_ubsan_truncate_signed(void) +{ + volatile long val = LONG_MAX; + volatile int val2 = 0; + + UBSAN_TEST(CONFIG_UBSAN_INTEGER_WRAP); + val2 = val; +} + static void test_ubsan_shift_out_of_bounds(void) { volatile int neg = -1, wrap = 4; @@ -127,6 +136,7 @@ static const test_ubsan_fp test_ubsan_array[] = { test_ubsan_sub_overflow, test_ubsan_mul_overflow, test_ubsan_negate_overflow, + test_ubsan_truncate_signed, test_ubsan_shift_out_of_bounds, test_ubsan_out_of_bounds, test_ubsan_load_invalid_value, diff --git a/lib/ubsan.c b/lib/ubsan.c index a1c983d148f1..cdc1d31c3821 100644 --- a/lib/ubsan.c +++ b/lib/ubsan.c @@ -44,7 +44,7 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type) case ubsan_shift_out_of_bounds: return "UBSAN: shift out of bounds"; #endif -#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_SIGNED_WRAP) +#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_INTEGER_WRAP) /* * SanitizerKind::IntegerDivideByZero and * SanitizerKind::SignedIntegerOverflow emit @@ -79,7 +79,7 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type) case ubsan_type_mismatch: return "UBSAN: type mismatch"; #endif -#ifdef CONFIG_UBSAN_SIGNED_WRAP +#ifdef CONFIG_UBSAN_INTEGER_WRAP /* * SanitizerKind::SignedIntegerOverflow emits * SanitizerHandler::AddOverflow, SanitizerHandler::SubOverflow, @@ -303,6 +303,30 @@ void __ubsan_handle_negate_overflow(void *_data, void *old_val) } EXPORT_SYMBOL(__ubsan_handle_negate_overflow); +void __ubsan_handle_implicit_conversion(void *_data, void *from_val, void *to_val) +{ + struct implicit_conversion_data *data = _data; + char from_val_str[VALUE_LENGTH]; + char to_val_str[VALUE_LENGTH]; + + if (suppress_report(&data->location)) + return; + + val_to_string(from_val_str, sizeof(from_val_str), data->from_type, from_val); + val_to_string(to_val_str, sizeof(to_val_str), data->to_type, to_val); + + ubsan_prologue(&data->location, "implicit-conversion"); + + pr_err("cannot represent %s value %s during %s %s, truncated to %s\n", + data->from_type->type_name, + from_val_str, + type_check_kinds[data->type_check_kind], + data->to_type->type_name, + to_val_str); + + ubsan_epilogue(); +} +EXPORT_SYMBOL(__ubsan_handle_implicit_conversion); void __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs) { diff --git a/lib/ubsan.h b/lib/ubsan.h index 07e37d4429b4..b37e22374e77 100644 --- a/lib/ubsan.h +++ b/lib/ubsan.h @@ -62,6 +62,13 @@ struct overflow_data { struct type_descriptor *type; }; +struct implicit_conversion_data { + struct source_location location; + struct type_descriptor *from_type; + struct type_descriptor *to_type; + unsigned char type_check_kind; +}; + struct type_mismatch_data { struct source_location location; struct type_descriptor *type; @@ -142,6 +149,7 @@ void ubsan_linkage __ubsan_handle_sub_overflow(void *data, void *lhs, void *rhs) void ubsan_linkage __ubsan_handle_mul_overflow(void *data, void *lhs, void *rhs); void ubsan_linkage __ubsan_handle_negate_overflow(void *_data, void *old_val); void ubsan_linkage __ubsan_handle_divrem_overflow(void *_data, void *lhs, void *rhs); +void ubsan_linkage __ubsan_handle_implicit_conversion(void *_data, void *lhs, void *rhs); void ubsan_linkage __ubsan_handle_type_mismatch(struct type_mismatch_data *data, void *ptr); void ubsan_linkage __ubsan_handle_type_mismatch_v1(void *_data, void *ptr); void ubsan_linkage __ubsan_handle_out_of_bounds(void *_data, void *index); diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index cad20f0e66ee..981d14ef9db2 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -166,8 +166,8 @@ _c_flags += $(if $(patsubst n%,, \ $(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SANITIZE)$(is-kernel-object)), \ $(CFLAGS_UBSAN)) _c_flags += $(if $(patsubst n%,, \ - $(UBSAN_SIGNED_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SIGNED_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ - $(CFLAGS_UBSAN_SIGNED_WRAP)) + $(UBSAN_INTEGER_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_INTEGER_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ + $(CFLAGS_UBSAN_INTEGER_WRAP)) endif ifeq ($(CONFIG_KCOV),y) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index b2d3b273b802..4fad9afed24c 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -14,5 +14,9 @@ ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined export CFLAGS_UBSAN := $(ubsan-cflags-y) -ubsan-signed-wrap-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow -export CFLAGS_UBSAN_SIGNED_WRAP := $(ubsan-signed-wrap-cflags-y) +ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ + -fsanitize=signed-integer-overflow \ + -fsanitize=unsigned-integer-overflow \ + -fsanitize=implicit-signed-integer-truncation \ + -fsanitize=implicit-unsigned-integer-truncation +export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) From patchwork Fri Mar 7 04:19:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 14005894 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6080419006F; Fri, 7 Mar 2025 04:19:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; cv=none; b=hmlZDQiqJn3F7UnKlz9F855BMBOA72TiijeXoWjll0S8hxNLEp+UmPdzOhDCZvvH9SATRD9twmvhJbD+WS88BKeRes94CLmUeXlJNJzydd8C3ezVugtTEFhaw+LDyd20TQCnfN/2aihn9do9ipciAOR6NbWBFuKjduHVMSRZpIk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; c=relaxed/simple; bh=swXPVnzWC/FlvTAyt5YU2bLA06oGPklYrKEuppMNs8o=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FL6xDRnwheBZ7mmu9jBB1WuaCNsBCFvNzow/SKL3jInr2iX9KzuWIuRc/5k57o0t+gQ78KhUTjfWiBAhVjZu09ey/v3kD5mHFzyA8avMUzRblhzS1IdhWNH1e7kVSevFCKn6ti1q9kIE4RJuMIL3MYMQdEfEDMOxTYeRFfmpiNo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Rz5g9Vap; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Rz5g9Vap" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2590C4AF0C; Fri, 7 Mar 2025 04:19:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1741321158; bh=swXPVnzWC/FlvTAyt5YU2bLA06oGPklYrKEuppMNs8o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Rz5g9VapbAqgPoWzPySZOL58XXVRoeHavg1WXOye8yXU1N6VuzaO3vXbfB8TaoZbh 6NyLEaX19Ma/qNr3DfUtH41cSs1c+uEGRUqWL4zWaiPPpmefI+5ETXFGyZMQ7NdiL9 rNf6PoOeWb+QmEU8OcAavFkJTbGO2oXe7EyJvon7HE1BSwONh8+3x+6q3VAOaIX7sY 6QMoDoAe+RundJIXlXlECBOfNH+MoC/nTfotQjFf3pTc/ooWoXW8+f4hndvv3QdYih FdkUtWXLTwoR6k+y6WuDuYwL2nVjhseCB3UHE9fh68xS8Hx8TubzHkfRjPrLIMdB9a Ij2QFKSBI9aCw== From: Kees Cook To: Justin Stitt Cc: Kees Cook , "Gustavo A. R. Silva" , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , Marco Elver , Andrey Konovalov , Andrey Ryabinin , linux-kbuild@vger.kernel.org, kasan-dev@googlegroups.com, linux-hardening@vger.kernel.org, Andrew Morton , Miguel Ojeda , Nick Desaulniers , Hao Luo , Przemek Kitszel , Bill Wendling , Jakub Kicinski , Tony Ambardar , Alexander Potapenko , Jan Hendrik Farr , Alexander Lobakin , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 2/3] ubsan/overflow: Enable pattern exclusions Date: Thu, 6 Mar 2025 20:19:10 -0800 Message-Id: <20250307041914.937329-2-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250307040948.work.791-kees@kernel.org> References: <20250307040948.work.791-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kbuild@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2094; i=kees@kernel.org; h=from:subject; bh=swXPVnzWC/FlvTAyt5YU2bLA06oGPklYrKEuppMNs8o=; b=owGbwMvMwCVmps19z/KJym7G02pJDOmnivdFn5JrOxe5UsvST1KT0T7/Z9y/CeZXXiyc2sBj8 qlu7n+tjlIWBjEuBlkxRZYgO/c4F4+37eHucxVh5rAygQxh4OIUgImYiTH899uitEkySfFFhPd5 Twe+z+sZfp7XnD/3eSUL01tGu5u+tgy/mFlqc12+iT/Jfya++uLdam6eJ5l3xSeqvl3FGcJdEHy YFQA= X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 To make integer wrap-around mitigation actually useful, the associated sanitizers must not instrument cases where the wrap-around is explicitly defined (e.g. "-2UL"), being tested for (e.g. "if (a + b < a)"), or where it has no impact on code flow (e.g. "while (var--)"). Enable pattern exclusions for the integer wrap sanitizers. Signed-off-by: Kees Cook Reviewed-by: Justin Stitt --- Cc: Justin Stitt Cc: "Gustavo A. R. Silva" Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: linux-kbuild@vger.kernel.org Cc: kasan-dev@googlegroups.com Cc: linux-hardening@vger.kernel.org --- lib/Kconfig.ubsan | 1 + scripts/Makefile.ubsan | 1 + 2 files changed, 2 insertions(+) diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 63e5622010e0..888c2e72c586 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -120,6 +120,7 @@ config UBSAN_INTEGER_WRAP bool "Perform checking for integer arithmetic wrap-around" default UBSAN depends on !COMPILE_TEST + depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all) depends on $(cc-option,-fsanitize=signed-integer-overflow) depends on $(cc-option,-fsanitize=unsigned-integer-overflow) depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 4fad9afed24c..233379c193a7 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -15,6 +15,7 @@ ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined export CFLAGS_UBSAN := $(ubsan-cflags-y) ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ + -fsanitize-undefined-ignore-overflow-pattern=all \ -fsanitize=signed-integer-overflow \ -fsanitize=unsigned-integer-overflow \ -fsanitize=implicit-signed-integer-truncation \ From patchwork Fri Mar 7 04:19:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 14005895 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 630EF19047A; Fri, 7 Mar 2025 04:19:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; cv=none; b=iAWX/MNnAU6DwMAW7UGqDxwf4jQL8jzfruFJ7s5A/UxOfIVRz0Ntc04W9mrIolSMGBgYmZwYSxwffwbLZB3mUOQFsxfaIZi3YxFv1uRhTrwEts82X/EGgaSroLuGKUFBie32aqZkglrACEjKSKoiwR+mbFb+MLU1pCYoTdKlDd8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741321158; c=relaxed/simple; bh=uNpuQxTpZBJvM7GGSJmEy7lrrBKKHc7fIlKudivWp4k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CV7mwfZnxGX1p4XeB+M9L63xn+h7yI55JZHWXRWsikBCxwAMZ7Aim3jdRU71ncps1jI0zBm/+GrqPJI5TE4RKBGoGiecdYqOSYxqiy0bxs3Hfdd1p5UDAMxqnx2N6lbv/Ax+O10Je76xjoU1DoqYEx2W83GpLTg/EeGS6kGe1FQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Buin79jU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Buin79jU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF828C4AF09; Fri, 7 Mar 2025 04:19:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1741321158; bh=uNpuQxTpZBJvM7GGSJmEy7lrrBKKHc7fIlKudivWp4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Buin79jUQfKozriM7zIKRN492/C5+yYUH3moaW/JBqerJ1wGI/zI0KF7Ou3jujH8p eLmGEOU0FF9YC2ObjfSXlxaDkB9Um0RBWe0/Ji22FkRPO21m/I2ZTWHwiF/Q7F+oGH 3e9ZZNspworYdQTyFu3xiMZWsMNDTQuBTaI1f0XqLufrF8lqxaJX6sgkPrPybnGHkE 5HVp471Grx9ibv4zOdX1JeZhNTtZC0n241cjYfkMmGHAWpLHXylinwG8HrfEmmDXaV 8m1QhkFFaesVVyGV+woBtc1Bty+dHU9gltaiMD5qaH9M/5xTG5RUcrT7yFdePjxfRK UJKuJrBtwMyIQ== From: Kees Cook To: Justin Stitt Cc: Kees Cook , "Gustavo A. R. Silva" , Marco Elver , Andrey Konovalov , Andrey Ryabinin , Andrew Morton , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , kasan-dev@googlegroups.com, linux-hardening@vger.kernel.org, linux-kbuild@vger.kernel.org, Miguel Ojeda , Nick Desaulniers , Hao Luo , Przemek Kitszel , Bill Wendling , Jakub Kicinski , Tony Ambardar , Alexander Potapenko , Jan Hendrik Farr , Alexander Lobakin , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 3/3] ubsan/overflow: Enable ignorelist parsing and add type filter Date: Thu, 6 Mar 2025 20:19:11 -0800 Message-Id: <20250307041914.937329-3-kees@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250307040948.work.791-kees@kernel.org> References: <20250307040948.work.791-kees@kernel.org> Precedence: bulk X-Mailing-List: linux-kbuild@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2672; i=kees@kernel.org; h=from:subject; bh=uNpuQxTpZBJvM7GGSJmEy7lrrBKKHc7fIlKudivWp4k=; b=owGbwMvMwCVmps19z/KJym7G02pJDOmnive33Kyu+u8yKfiLVCOnWmx084Lfr96smbtIRLf/Y /i1tR++dpSyMIhxMciKKbIE2bnHuXi8bQ93n6sIM4eVCWQIAxenAEzk6FNGhjMLtQ0mlb6V+2tR 4rv444FVF+UfOWn5vX6TuOWrR3HWmjiGf2rWE+S+bv728PWUGc1T79xsMF5YJ606fauk2+YfCQ4 mlQwA X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Limit integer wrap-around mitigation to only the "size_t" type (for now). Notably this covers all special functions/builtins that return "size_t", like sizeof(). This remains an experimental feature and is likely to be replaced with type annotations. Signed-off-by: Kees Cook Reviewed-by: Justin Stitt --- Cc: Justin Stitt Cc: "Gustavo A. R. Silva" Cc: Marco Elver Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Andrew Morton Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: kasan-dev@googlegroups.com Cc: linux-hardening@vger.kernel.org Cc: linux-kbuild@vger.kernel.org --- lib/Kconfig.ubsan | 1 + scripts/Makefile.ubsan | 3 ++- scripts/integer-wrap-ignore.scl | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 scripts/integer-wrap-ignore.scl diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 888c2e72c586..4216b3a4ff21 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP depends on $(cc-option,-fsanitize=unsigned-integer-overflow) depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) + depends on $(cc-option,-fsanitize-ignorelist=/dev/null) help This option enables all of the sanitizers involved in integer overflow (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow, diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 233379c193a7..9e35198edbf0 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ -fsanitize=signed-integer-overflow \ -fsanitize=unsigned-integer-overflow \ -fsanitize=implicit-signed-integer-truncation \ - -fsanitize=implicit-unsigned-integer-truncation + -fsanitize=implicit-unsigned-integer-truncation \ + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl new file mode 100644 index 000000000000..431c3053a4a2 --- /dev/null +++ b/scripts/integer-wrap-ignore.scl @@ -0,0 +1,3 @@ +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] +type:* +type:size_t=sanitize