Hi,
On Thu, Mar 06, 2025 at 08:19:11PM -0800, Kees Cook wrote:
> Limit integer wrap-around mitigation to only the "size_t" type (for
> now). Notably this covers all special functions/builtins that return
> "size_t", like sizeof(). This remains an experimental feature and is
> likely to be replaced with type annotations.
For future travelers, track the progress of type annotations over at
[1]. There's still discussion on how these will be implemented in Clang.
>
> Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
> ---
> Cc: Justin Stitt <justinstitt@xxxxxxxxxx>
> Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>
> Cc: Marco Elver <elver@xxxxxxxxxx>
> Cc: Andrey Konovalov <andreyknvl@xxxxxxxxx>
> Cc: Andrey Ryabinin <ryabinin.a.a@xxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> Cc: Nathan Chancellor <nathan@xxxxxxxxxx>
> Cc: Nicolas Schier <nicolas@xxxxxxxxx>
> Cc: kasan-dev@xxxxxxxxxxxxxxxx
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> Cc: linux-kbuild@xxxxxxxxxxxxxxx
> ---
> lib/Kconfig.ubsan | 1 +
> scripts/Makefile.ubsan | 3 ++-
> scripts/integer-wrap-ignore.scl | 3 +++
> 3 files changed, 6 insertions(+), 1 deletion(-)
> create mode 100644 scripts/integer-wrap-ignore.scl
>
> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
> index 888c2e72c586..4216b3a4ff21 100644
> --- a/lib/Kconfig.ubsan
> +++ b/lib/Kconfig.ubsan
> @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP
> depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
> depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation)
> depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation)
> + depends on $(cc-option,-fsanitize-ignorelist=/dev/null)
> help
> This option enables all of the sanitizers involved in integer overflow
> (wrap-around) mitigation: signed-integer-overflow, unsigned-integer-overflow,
> diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
> index 233379c193a7..9e35198edbf0 100644
> --- a/scripts/Makefile.ubsan
> +++ b/scripts/Makefile.ubsan
> @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \
> -fsanitize=signed-integer-overflow \
> -fsanitize=unsigned-integer-overflow \
> -fsanitize=implicit-signed-integer-truncation \
> - -fsanitize=implicit-unsigned-integer-truncation
> + -fsanitize=implicit-unsigned-integer-truncation \
> + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl
> export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y)
> diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl
> new file mode 100644
> index 000000000000..431c3053a4a2
> --- /dev/null
> +++ b/scripts/integer-wrap-ignore.scl
> @@ -0,0 +1,3 @@
> +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}]
> +type:*
> +type:size_t=sanitize
Hi again future travelers, sanitizer special case list support for
overflow/truncation sanitizers as well as the "=sanitize" comes from a
new Clang 20 feature allowing SCL's to specify sanitize categories, see [2].
> --
> 2.34.1
>
>
The plumbing looks correct,
Reviewed-by: Justin Stitt <justinstitt@xxxxxxxxxx>
[1]: https://discourse.llvm.org/t/rfc-clang-canonical-wrapping-and-non-wrapping-types/84356
[2]: https://github.com/llvm/llvm-project/pull/107332
Thanks
Justin
