On Wed, May 28, 2025 at 6:46 PM Kees Cook [off-list ref] wrote:
On Tue, May 27, 2025 at 11:14:27PM -0700, Eric Biggers wrote:
quoted
If this new sanitizer is going to move forward, is there any sort of plan or
guide for how to update code to be compatible with it? Specifically considering
common situations where unsigned wraparound (which is defined behavior in C) can
be intentionally relied on, like calculating the distance from the next N-byte
boundary. What are the best practices now?
Hi, yes, this is still under development. I tried to make it hard to
enable accidentally (not via COMPILE_TEST, not UBSAN-default, etc), but
we (still) don't have a way to disable configs for randconfigs. :(
We're hoping to see Clang 21 with the more versatile Overflow Behavior Types:
https://discourse.llvm.org/t/rfc-v2-clang-introduce-overflowbehaviortypes-for-wrapping-and-non-wrapping-arithmetic/86507
and our current testing is showing many fewer false positives. (Having
run syzkaller for weeks now.)
quoted
Documentation/dev-tools/ubsan.rst says nothing about this and only mentions
"undefined behavior", which this is not.
Right -- this will get extensive documentation before we move it out of
its development phase.
I'm not sure how to enforce "don't enable this unless you're developing
the Overflow Behavior Types" with current Kconfig, given the randconfig
gap... I have some memory of Arnd doing something special with his
randconfigs to avoid these kinds of things, but I can't find it now.
You could depend on CONFIG_BROKEN, the canonical "if you enable this
and stuff breaks, it's your fault" flag?
Or if you want something even more explicit, maybe something like this
would do the job, so that you have to set an environment variable for
the kernel build to unlock the feature? (To be clear, I'm not fluent
in kconfig, and this is almost certainly a terribly convoluted way of
writing this - if you like the idea you should figure out the proper
syntax.)
config VERY_BROKEN
def_bool $(success,sh -c 'echo $ENABLE_VERY_BROKEN_STUFF | grep "^y$"')
config FOO
depends on VERY_BROKEN