On Sun, Feb 01, 2026 at 12:47:41PM +0100, Peter Zijlstra wrote:
> On Sat, Jan 31, 2026 at 10:42:35AM -0800, Kees Cook wrote:
> > On Sat, Jan 31, 2026 at 10:39:42AM +0100, Salvatore Bonaccorso wrote:
> > > Kees, Peter approached the Debian kernel list above to drop
> > > CONFIG_UBSAN again, which, so I think we need to revert your
> > > 6cfadabfe015 ("Enable UBSAN_BOUNDS and UBSAN_SHIFT"):
> > > https://salsa.debian.org/kernel-team/linux/-/commit/6cfadabfe015fa0d659fc8e3efd495cbcae3e44e
> > >
> > > I have make a MR for our packaging for the change in
> > > https://salsa.debian.org/kernel-team/linux/-/merge_requests/1804
> >
> > I am strongly opposed -- this undoes years of security flaw mitigation
> > work and leaves Debian (and only Debian!) exposed to trivial array index
> > overflows. The bounds sanitizer is the corner stone of memory safety
> > for C, and is not some "experimental" feature. GCC has a long history
> > of trouble with inlining, so this is not something unique to enabling
> > this feature.
> >
> > I replied similarly to the PR. This would be a major mistake to disable.
>
> Why the heck is bounds checking part of UBSAN? The simple fix here is to
> get it out from CONFIG_UBSAN, so that CONFIG_UBSAN is debug only crap.
Out of bounds accesses are considered "undefined". *sigh*
But yes, now that we have the "transitional" kconfig symbols I can
trivially rename CONFIG_UBSAN_BOUNDS and remove its CONFIG_UBSAN
dependency.
> Notably, none of the UBSAN configs that tripped the optimization fail
> even had bounds checking enabled.
Which ones tripped it? KASAN (in software tagging mode) is usually the
heavy-weight one that considerably bloats code generation. I haven't
seen systemic problems with -fsanitize=bounds, and I thought the weird
cases (which confused the value range tracking) with -fsanitize=shift
got fixed back in GCC 12 (or maybe 13).
-Kees
--
Kees Cook
