[PATCH 6/6] ubsan: Get x86_64 booting with unsigned wrap-around sanitizer

From: Kees Cook
Date: Mon Jan 29 2024 - 13:02:28 EST


In order to get x86_64 booting with the unsigned wrap-around sanitizer,
several kernel areas that depend heavily on unsigned wrap-around need to
be disabled entirely (with "UBSAN_UNSIGNED_WRAP := n"). As we fine-tune
the sanitizer, we can revisit these and perform finer grain annotations.

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/apic/Makefile | 1 +
arch/x86/mm/Makefile | 1 +
arch/x86/mm/pat/Makefile | 1 +
crypto/Makefile | 1 +
drivers/acpi/Makefile | 1 +
kernel/Makefile | 1 +
kernel/locking/Makefile | 1 +
kernel/rcu/Makefile | 1 +
kernel/sched/Makefile | 1 +
lib/Kconfig.ubsan | 5 +++--
lib/Makefile | 1 +
lib/crypto/Makefile | 1 +
lib/crypto/mpi/Makefile | 1 +
lib/zlib_deflate/Makefile | 1 +
lib/zstd/Makefile | 2 ++
mm/Makefile | 1 +
net/core/Makefile | 1 +
net/ipv4/Makefile | 1 +
19 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 0000325ab98f..de93f8b8a149 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -30,6 +30,7 @@ KASAN_SANITIZE_sev.o := n

# With some compiler versions the generated code results in boot hangs, caused
# by several compilation units. To be safe, disable all instrumentation.
+UBSAN_WRAP_UNSIGNED := n
KCSAN_SANITIZE := n
KMSAN_SANITIZE_head$(BITS).o := n
KMSAN_SANITIZE_nmi.o := n
diff --git a/arch/x86/kernel/apic/Makefile b/arch/x86/kernel/apic/Makefile
index 3bf0487cf3b7..aa97b5830b64 100644
--- a/arch/x86/kernel/apic/Makefile
+++ b/arch/x86/kernel/apic/Makefile
@@ -6,6 +6,7 @@
# Leads to non-deterministic coverage that is not a function of syscall inputs.
# In particular, smp_apic_timer_interrupt() is called in random places.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n

obj-$(CONFIG_X86_LOCAL_APIC) += apic.o apic_common.o apic_noop.o ipi.o vector.o init.o
obj-y += hw_nmi.o
diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
index c80febc44cd2..7a43466d4581 100644
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
@@ -1,5 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
# Kernel does not boot with instrumentation of tlb.c and mem_encrypt*.c
+UBSAN_WRAP_UNSIGNED := n
KCOV_INSTRUMENT_tlb.o := n
KCOV_INSTRUMENT_mem_encrypt.o := n
KCOV_INSTRUMENT_mem_encrypt_amd.o := n
diff --git a/arch/x86/mm/pat/Makefile b/arch/x86/mm/pat/Makefile
index ea464c995161..281a5786c5ea 100644
--- a/arch/x86/mm/pat/Makefile
+++ b/arch/x86/mm/pat/Makefile
@@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
+UBSAN_WRAP_UNSIGNED := n

obj-y := set_memory.o memtype.o

diff --git a/crypto/Makefile b/crypto/Makefile
index 408f0a1f9ab9..c7b23d99e715 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,6 +2,7 @@
#
# Cryptographic API
#
+UBSAN_WRAP_UNSIGNED := n

obj-$(CONFIG_CRYPTO) += crypto.o
crypto-y := api.o cipher.o compress.o
diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
index 12ef8180d272..92a8e8563b1b 100644
--- a/drivers/acpi/Makefile
+++ b/drivers/acpi/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux ACPI interpreter
#
+UBSAN_WRAP_UNSIGNED := n

ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT

diff --git a/kernel/Makefile b/kernel/Makefile
index ce105a5558fc..1b31aa19b4fb 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the linux kernel.
#
+UBSAN_WRAP_UNSIGNED := n

obj-y = fork.o exec_domain.o panic.o \
cpu.o exit.o softirq.o resource.o \
diff --git a/kernel/locking/Makefile b/kernel/locking/Makefile
index 0db4093d17b8..dd6492509596 100644
--- a/kernel/locking/Makefile
+++ b/kernel/locking/Makefile
@@ -2,6 +2,7 @@
# Any varying coverage in these files is non-deterministic
# and is generally not a function of system call inputs.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n

obj-y += mutex.o semaphore.o rwsem.o percpu-rwsem.o

diff --git a/kernel/rcu/Makefile b/kernel/rcu/Makefile
index 0cfb009a99b9..305c13042633 100644
--- a/kernel/rcu/Makefile
+++ b/kernel/rcu/Makefile
@@ -2,6 +2,7 @@
# Any varying coverage in these files is non-deterministic
# and is generally not a function of system call inputs.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n

ifeq ($(CONFIG_KCSAN),y)
KBUILD_CFLAGS += -g -fno-omit-frame-pointer
diff --git a/kernel/sched/Makefile b/kernel/sched/Makefile
index 976092b7bd45..e487b0e86c2e 100644
--- a/kernel/sched/Makefile
+++ b/kernel/sched/Makefile
@@ -7,6 +7,7 @@ ccflags-y += $(call cc-disable-warning, unused-but-set-variable)
# These files are disabled because they produce non-interesting flaky coverage
# that is not a function of syscall inputs. E.g. involuntary context switches.
KCOV_INSTRUMENT := n
+UBSAN_WRAP_UNSIGNED := n

# Disable KCSAN to avoid excessive noise and performance degradation. To avoid
# false positives ensure barriers implied by sched functions are instrumented.
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 0611120036eb..54981e717355 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -132,8 +132,9 @@ config UBSAN_UNSIGNED_WRAP
depends on !COMPILE_TEST
help
This option enables -fsanitize=unsigned-integer-overflow which checks
- for wrap-around of any arithmetic operations with unsigned integers. This
- currently causes x86 to fail to boot.
+ for wrap-around of any arithmetic operations with unsigned integers.
+ Given the history of C and the many common code patterns involving
+ unsigned wrap-around, this is a very noisy option right now.

config UBSAN_POINTER_WRAP
bool "Perform checking for pointer arithmetic wrap-around"
diff --git a/lib/Makefile b/lib/Makefile
index 6b09731d8e61..2b7c36e9291f 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for some libs needed in the kernel.
#
+UBSAN_WRAP_UNSIGNED := n

ccflags-remove-$(CONFIG_FUNCTION_TRACER) += $(CC_FLAGS_FTRACE)

diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 8d1446c2be71..fce88a337a53 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
+UBSAN_WRAP_UNSIGNED := n

obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o
libcryptoutils-y := memneq.o utils.o
diff --git a/lib/crypto/mpi/Makefile b/lib/crypto/mpi/Makefile
index 6e6ef9a34fe1..ce95653915b1 100644
--- a/lib/crypto/mpi/Makefile
+++ b/lib/crypto/mpi/Makefile
@@ -2,6 +2,7 @@
#
# MPI multiprecision maths library (from gpg)
#
+UBSAN_WRAP_UNSIGNED := n

obj-$(CONFIG_MPILIB) = mpi.o

diff --git a/lib/zlib_deflate/Makefile b/lib/zlib_deflate/Makefile
index 2622e03c0b94..5d71690554bb 100644
--- a/lib/zlib_deflate/Makefile
+++ b/lib/zlib_deflate/Makefile
@@ -6,6 +6,7 @@
# This is the compression code, see zlib_inflate for the
# decompression code.
#
+UBSAN_WRAP_UNSIGNED := n

obj-$(CONFIG_ZLIB_DEFLATE) += zlib_deflate.o

diff --git a/lib/zstd/Makefile b/lib/zstd/Makefile
index 20f08c644b71..7a187cb08c1f 100644
--- a/lib/zstd/Makefile
+++ b/lib/zstd/Makefile
@@ -8,6 +8,8 @@
# in the COPYING file in the root directory of this source tree).
# You may select, at your option, one of the above-listed licenses.
# ################################################################
+UBSAN_WRAP_UNSIGNED := n
+
obj-$(CONFIG_ZSTD_COMPRESS) += zstd_compress.o
obj-$(CONFIG_ZSTD_DECOMPRESS) += zstd_decompress.o
obj-$(CONFIG_ZSTD_COMMON) += zstd_common.o
diff --git a/mm/Makefile b/mm/Makefile
index e4b5b75aaec9..cacbdd1a2d40 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the linux memory manager.
#
+UBSAN_WRAP_UNSIGNED := n

KASAN_SANITIZE_slab_common.o := n
KASAN_SANITIZE_slub.o := n
diff --git a/net/core/Makefile b/net/core/Makefile
index 821aec06abf1..501d7300da83 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux networking core.
#
+UBSAN_WRAP_UNSIGNED := n

obj-y := sock.o request_sock.o skbuff.o datagram.o stream.o scm.o \
gen_stats.o gen_estimator.o net_namespace.o secure_seq.o \
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index ec36d2ec059e..c738d463bb7e 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -2,6 +2,7 @@
#
# Makefile for the Linux TCP/IP (INET) layer.
#
+UBSAN_WRAP_UNSIGNED := n

obj-y := route.o inetpeer.o protocol.o \
ip_input.o ip_fragment.o ip_forward.o ip_options.o \
--
2.34.1