[PATCH 1/2] kernel: add missing UBSAN config symbols
Hauke Mehrtens
hauke at hauke-m.de
Sun Nov 7 06:09:33 PST 2021
On 11/3/21 7:08 PM, Stijn Tintel wrote:
> Enabling KERNEL_UBSAN exposes several missing symbols. Add new kernel
> build options for UBSAN_BOUNDS and UBSAN_TRAP, disable CONFIG_TEST_UBSAN
> in the generic kernel configs and enable CONFIG_UBSAN_MISC in generic
> 5.10 config. The latter symbol was removed in later kernels, so just set
> it to the default value in 5.10 instead of adding a build option for it.
>
> Fixes build failures with KERNEL_UBSAN enabled.
Does your system still boot with CONFIG_UBSAN_MISC set?
I haven't tried this myself and used this only on an older kernel
before, but this commit message which removes it does not sound good:
https://git.kernel.org/linus/c637693b20da8706b7f48d96882c9c80ae935151
I would prefer to deactivate CONFIG_UBSAN_MISC.
Hauke
>
> Signed-off-by: Stijn Tintel <stijn at linux-ipv6.be>
> ---
> config/Config-kernel.in | 23 +++++++++++++++++++++++
> target/linux/generic/config-5.10 | 2 ++
> target/linux/generic/config-5.4 | 1 +
> 3 files changed, 26 insertions(+)
>
> diff --git a/config/Config-kernel.in b/config/Config-kernel.in
> index dc249a6031..6758d278e7 100644
> --- a/config/Config-kernel.in
> +++ b/config/Config-kernel.in
> @@ -114,6 +114,16 @@ config KERNEL_UBSAN_ALIGNMENT
> Enabling this option on architectures that support unaligned
> accesses may produce a lot of false positives.
>
> +config KERNEL_UBSAN_BOUNDS
> + bool "Perform array index bounds checking"
> + depends on KERNEL_UBSAN
> + help
> + This option enables detection of directly indexed out of bounds array
> + accesses, where the array size is known at compile time. Note that
> + this does not protect array overflows via bad calls to the
> + {str,mem}*cpy() family of functions (that is addressed by
> + FORTIFY_SOURCE).
> +
> config KERNEL_UBSAN_NULL
> bool "Enable checking of null pointers"
> depends on KERNEL_UBSAN
> @@ -121,6 +131,19 @@ config KERNEL_UBSAN_NULL
> This option enables detection of memory accesses via a
> null pointer.
>
> +config KERNEL_UBSAN_TRAP
> + bool "On Sanitizer warnings, abort the running kernel code"
> + depends on KERNEL_UBSAN
> + help
> + Building kernels with Sanitizer features enabled tends to grow the
> + kernel size by around 5%, due to adding all the debugging text on
> + failure paths. To avoid this, Sanitizer instrumentation can just
> + issue a trap. This reduces the kernel size overhead but turns all
> + warnings (including potentially harmless conditions) into full
> + exceptions that abort the running kernel code (regardless of context,
> + locks held, etc), which may destabilize the system. For some system
> + builders this is an acceptable trade-off.
> +
> config KERNEL_KASAN
> bool "Compile the kernel with KASan: runtime memory debugger"
> select KERNEL_SLUB_DEBUG
> diff --git a/target/linux/generic/config-5.10 b/target/linux/generic/config-5.10
> index 7b952e8ca8..83004d0879 100644
> --- a/target/linux/generic/config-5.10
> +++ b/target/linux/generic/config-5.10
> @@ -6082,6 +6082,7 @@ CONFIG_TCP_CONG_CUBIC=y
> # CONFIG_TEST_STRING_HELPERS is not set
> # CONFIG_TEST_STRSCPY is not set
> # CONFIG_TEST_SYSCTL is not set
> +# CONFIG_TEST_UBSAN is not set
> # CONFIG_TEST_UDELAY is not set
> # CONFIG_TEST_USER_COPY is not set
> # CONFIG_TEST_UUID is not set
> @@ -6348,6 +6349,7 @@ CONFIG_UBIFS_FS_ZLIB=y
> CONFIG_UBIFS_FS_ZSTD=y
> # CONFIG_UBSAN is not set
> CONFIG_UBSAN_ALIGNMENT=y
> +CONFIG_UBSAN_MISC=y
> # CONFIG_UCB1400_CORE is not set
> # CONFIG_UCSI is not set
> # CONFIG_UDF_FS is not set
> diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4
> index c44e9cf40b..bf2b462529 100644
> --- a/target/linux/generic/config-5.4
> +++ b/target/linux/generic/config-5.4
> @@ -5631,6 +5631,7 @@ CONFIG_TCP_CONG_CUBIC=y
> # CONFIG_TEST_STRING_HELPERS is not set
> # CONFIG_TEST_STRSCPY is not set
> # CONFIG_TEST_SYSCTL is not set
> +# CONFIG_TEST_UBSAN is not set
> # CONFIG_TEST_UDELAY is not set
> # CONFIG_TEST_USER_COPY is not set
> # CONFIG_TEST_UUID is not set
>
More information about the openwrt-devel
mailing list