On Thu, 6 Mar 2025 at 23:19, Kees Cook <kees@xxxxxxxxxx> wrote:
>
> Since we're going to approach integer overflow mitigation a type at a
> time, we need to enable all of the associated sanitizers, and then opt
> into types one at a time.
>
> Rename the existing "signed wrap" sanitizer to just the entire topic area:
> "integer wrap". Enable the implicit integer truncation sanitizers, with
> required callbacks and tests.
>
> Notably, this requires features (currently) only available in Clang,
> so we can depend on the cc-option tests to determine availability
> instead of doing version tests.
>
> Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
> ---
> Cc: Justin Stitt <justinstitt@xxxxxxxxxx>
> Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: Marco Elver <elver@xxxxxxxxxx>
> Cc: Andrey Konovalov <andreyknvl@xxxxxxxxx>
> Cc: Andrey Ryabinin <ryabinin.a.a@xxxxxxxxx>
> Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> Cc: Nathan Chancellor <nathan@xxxxxxxxxx>
> Cc: Nicolas Schier <nicolas@xxxxxxxxx>
> Cc: Miguel Ojeda <ojeda@xxxxxxxxxx>
> Cc: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
> Cc: Hao Luo <haoluo@xxxxxxxxxx>
> Cc: Przemek Kitszel <przemyslaw.kitszel@xxxxxxxxx>
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> Cc: kasan-dev@xxxxxxxxxxxxxxxx
> Cc: linux-kbuild@xxxxxxxxxxxxxxx
> ---
> include/linux/compiler_types.h | 2 +-
> kernel/configs/hardening.config | 2 +-
> lib/Kconfig.ubsan | 23 +++++++++++------------
> lib/test_ubsan.c | 18 ++++++++++++++----
> lib/ubsan.c | 28 ++++++++++++++++++++++++++--
> lib/ubsan.h | 8 ++++++++
> scripts/Makefile.lib | 4 ++--
> scripts/Makefile.ubsan | 8 ++++++--
> 8 files changed, 69 insertions(+), 24 deletions(-)
>
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index f59393464ea7..4ad3e900bc3d 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -360,7 +360,7 @@ struct ftrace_likely_data {
> #endif
>
> /* Do not trap wrapping arithmetic within an annotated function. */
> -#ifdef CONFIG_UBSAN_SIGNED_WRAP
> +#ifdef CONFIG_UBSAN_INTEGER_WRAP
> # define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow")))
> #else
> # define __signed_wrap
> diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
> index 3fabb8f55ef6..dd7c32fb5ac1 100644
> --- a/kernel/configs/hardening.config
> +++ b/kernel/configs/hardening.config
> @@ -46,7 +46,7 @@ CONFIG_UBSAN_BOUNDS=y
> # CONFIG_UBSAN_SHIFT is not set
> # CONFIG_UBSAN_DIV_ZERO is not set
> # CONFIG_UBSAN_UNREACHABLE is not set
> -# CONFIG_UBSAN_SIGNED_WRAP is not set
> +# CONFIG_UBSAN_INTEGER_WRAP is not set
> # CONFIG_UBSAN_BOOL is not set
> # CONFIG_UBSAN_ENUM is not set
> # CONFIG_UBSAN_ALIGNMENT is not set
> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
> index 1d4aa7a83b3a..63e5622010e0 100644
> --- a/lib/Kconfig.ubsan
> +++ b/lib/Kconfig.ubsan
> @@ -116,21 +116,20 @@ config UBSAN_UNREACHABLE
> This option enables -fsanitize=unreachable which checks for control
> flow reaching an expected-to-be-unreachable position.
>
> -config UBSAN_SIGNED_WRAP
> - bool "Perform checking for signed arithmetic wrap-around"
> +config UBSAN_INTEGER_WRAP
> + bool "Perform checking for integer arithmetic wrap-around"
> default UBSAN
> depends on !COMPILE_TEST
> - # The no_sanitize attribute was introduced in GCC with version 8.
> - depends on !CC_IS_GCC || GCC_VERSION >= 80000
> depends on $(cc-option,-fsanitize=signed-integer-overflow)
> - help
> - This option enables -fsanitize=signed-integer-overflow which checks
> - for wrap-around of any arithmetic operations with signed integers.
> - This currently performs nearly no instrumentation due to the
> - kernel's use of -fno-strict-overflow which converts all would-be
> - arithmetic undefined behavior into wrap-around arithmetic. Future
> - sanitizer versions will allow for wrap-around checking (rather than
> - exclusively undefined behavior).
> + depends on $(cc-option,-fsanitize=unsigned-integer-overflow)
> + depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation)
> + depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation)
Can these be in 1 cc-option? I know it might look slightly more ugly,
but having 3 different ones will shell out to the compiler 3 times,
which is a little less efficient. At some point it might noticeably
increase the build initialization latency.
