On 11/20/19 4:06 AM, Kees Cook wrote:
> In order to do kernel builds with the bounds checker individually
> available, introduce CONFIG_UBSAN_BOUNDS, with the remaining options
> under CONFIG_UBSAN_MISC.
>
> For example, using this, we can start to expand the coverage syzkaller is
> providing. Right now, all of UBSan is disabled for syzbot builds because
> taken as a whole, it is too noisy. This will let us focus on one feature
> at a time.
>
> For the bounds checker specifically, this provides a mechanism to
> eliminate an entire class of array overflows with close to zero
> performance overhead (I cannot measure a difference). In my (mostly)
> defconfig, enabling bounds checking adds ~4200 checks to the kernel.
> Performance changes are in the noise, likely due to the branch predictors
> optimizing for the non-fail path.
>
> Some notes on the bounds checker:
>
> - it does not instrument {mem,str}*()-family functions, it only
> instruments direct indexed accesses (e.g. "foo[i]"). Dealing with
> the {mem,str}*()-family functions is a work-in-progress around
> CONFIG_FORTIFY_SOURCE[1].
>
> - it ignores flexible array members, including the very old single
> byte (e.g. "int foo[1];") declarations. (Note that GCC's
> implementation appears to ignore _all_ trailing arrays, but Clang only
> ignores empty, 0, and 1 byte arrays[2].)
>
> [1] https://github.com/KSPP/linux/issues/6
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92589
>
> Suggested-by: Elena Petrova <lenaptr@xxxxxxxxxx>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
