From a3aac126ca3a71b6612a817ef24db325618fd902 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 4 Mar 2025 08:21:29 -0800 Subject: kbuild: clang: Support building UM with SUBARCH=i386 The UM builds distinguish i386 from x86_64 via SUBARCH, but we don't support building i386 directly with Clang. To make SUBARCH work for i386 UM, we need to explicitly test for it. This lets me run i386 KUnit tests with Clang: $ ./tools/testing/kunit/kunit.py run \ --make_options LLVM=1 \ --make_options SUBARCH=i386 ... Fixes: c7500c1b53bf ("um: Allow builds with Clang") Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20250304162124.it.785-kees@kernel.org Tested-by: David Gow Signed-off-by: Kees Cook --- scripts/Makefile.clang | 2 ++ 1 file changed, 2 insertions(+) (limited to 'scripts') diff --git a/scripts/Makefile.clang b/scripts/Makefile.clang index 2435efae67f5..b67636b28c35 100644 --- a/scripts/Makefile.clang +++ b/scripts/Makefile.clang @@ -12,6 +12,8 @@ CLANG_TARGET_FLAGS_riscv := riscv64-linux-gnu CLANG_TARGET_FLAGS_s390 := s390x-linux-gnu CLANG_TARGET_FLAGS_sparc := sparc64-linux-gnu CLANG_TARGET_FLAGS_x86 := x86_64-linux-gnu +# This is only for i386 UM builds, which need the 32-bit target not -m32 +CLANG_TARGET_FLAGS_i386 := i386-linux-gnu CLANG_TARGET_FLAGS_um := $(CLANG_TARGET_FLAGS_$(SUBARCH)) CLANG_TARGET_FLAGS := $(CLANG_TARGET_FLAGS_$(SRCARCH)) -- cgit v1.2.3 From ed2b548f1017586c44f50654ef9febb42d491f31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 6 Mar 2025 20:19:09 -0800 Subject: ubsan/overflow: Rework integer overflow sanitizer option to turn on everything Since we're going to approach integer overflow mitigation a type at a time, we need to enable all of the associated sanitizers, and then opt into types one at a time. Rename the existing "signed wrap" sanitizer to just the entire topic area: "integer wrap". Enable the implicit integer truncation sanitizers, with required callbacks and tests. Notably, this requires features (currently) only available in Clang, so we can depend on the cc-option tests to determine availability instead of doing version tests. Link: https://lore.kernel.org/r/20250307041914.937329-1-kees@kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.lib | 4 ++-- scripts/Makefile.ubsan | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'scripts') diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib index cad20f0e66ee..981d14ef9db2 100644 --- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -166,8 +166,8 @@ _c_flags += $(if $(patsubst n%,, \ $(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SANITIZE)$(is-kernel-object)), \ $(CFLAGS_UBSAN)) _c_flags += $(if $(patsubst n%,, \ - $(UBSAN_SIGNED_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_SIGNED_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ - $(CFLAGS_UBSAN_SIGNED_WRAP)) + $(UBSAN_INTEGER_WRAP_$(target-stem).o)$(UBSAN_SANITIZE_$(target-stem).o)$(UBSAN_INTEGER_WRAP)$(UBSAN_SANITIZE)$(is-kernel-object)), \ + $(CFLAGS_UBSAN_INTEGER_WRAP)) endif ifeq ($(CONFIG_KCOV),y) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index b2d3b273b802..4fad9afed24c 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -14,5 +14,9 @@ ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined export CFLAGS_UBSAN := $(ubsan-cflags-y) -ubsan-signed-wrap-cflags-$(CONFIG_UBSAN_SIGNED_WRAP) += -fsanitize=signed-integer-overflow -export CFLAGS_UBSAN_SIGNED_WRAP := $(ubsan-signed-wrap-cflags-y) +ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ + -fsanitize=signed-integer-overflow \ + -fsanitize=unsigned-integer-overflow \ + -fsanitize=implicit-signed-integer-truncation \ + -fsanitize=implicit-unsigned-integer-truncation +export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) -- cgit v1.2.3 From 272a767063a6856cd1e18bb951d2be4f047b9858 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 6 Mar 2025 20:19:10 -0800 Subject: ubsan/overflow: Enable pattern exclusions To make integer wrap-around mitigation actually useful, the associated sanitizers must not instrument cases where the wrap-around is explicitly defined (e.g. "-2UL"), being tested for (e.g. "if (a + b < a)"), or where it has no impact on code flow (e.g. "while (var--)"). Enable pattern exclusions for the integer wrap sanitizers. Reviewed-by: Justin Stitt Link: https://lore.kernel.org/r/20250307041914.937329-2-kees@kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.ubsan | 1 + 1 file changed, 1 insertion(+) (limited to 'scripts') diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 4fad9afed24c..233379c193a7 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -15,6 +15,7 @@ ubsan-cflags-$(CONFIG_UBSAN_TRAP) += $(call cc-option,-fsanitize-trap=undefined export CFLAGS_UBSAN := $(ubsan-cflags-y) ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ + -fsanitize-undefined-ignore-overflow-pattern=all \ -fsanitize=signed-integer-overflow \ -fsanitize=unsigned-integer-overflow \ -fsanitize=implicit-signed-integer-truncation \ -- cgit v1.2.3 From 47f4af43e7c0cf702d6a6321542f0c0d9c4216e3 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 6 Mar 2025 20:19:11 -0800 Subject: ubsan/overflow: Enable ignorelist parsing and add type filter Limit integer wrap-around mitigation to only the "size_t" type (for now). Notably this covers all special functions/builtins that return "size_t", like sizeof(). This remains an experimental feature and is likely to be replaced with type annotations. Reviewed-by: Justin Stitt Link: https://lore.kernel.org/r/20250307041914.937329-3-kees@kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.ubsan | 3 ++- scripts/integer-wrap-ignore.scl | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 scripts/integer-wrap-ignore.scl (limited to 'scripts') diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 233379c193a7..9e35198edbf0 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) += \ -fsanitize=signed-integer-overflow \ -fsanitize=unsigned-integer-overflow \ -fsanitize=implicit-signed-integer-truncation \ - -fsanitize=implicit-unsigned-integer-truncation + -fsanitize=implicit-unsigned-integer-truncation \ + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl new file mode 100644 index 000000000000..431c3053a4a2 --- /dev/null +++ b/scripts/integer-wrap-ignore.scl @@ -0,0 +1,3 @@ +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] +type:* +type:size_t=sanitize -- cgit v1.2.3