Hi, On Thu, Mar 06, 2025 at 08:19:11PM -0800, Kees Cook wrote: > Limit integer wrap-around mitigation to only the "size_t" type (for > now). Notably this covers all special functions/builtins that return > "size_t", like sizeof(). This remains an experimental feature and is > likely to be replaced with type annotations.
For future travelers, track the progress of type annotations over at [1]. There's still discussion on how these will be implemented in Clang. > > Signed-off-by: Kees Cook <[email protected]> > --- > Cc: Justin Stitt <[email protected]> > Cc: "Gustavo A. R. Silva" <[email protected]> > Cc: Marco Elver <[email protected]> > Cc: Andrey Konovalov <[email protected]> > Cc: Andrey Ryabinin <[email protected]> > Cc: Andrew Morton <[email protected]> > Cc: Masahiro Yamada <[email protected]> > Cc: Nathan Chancellor <[email protected]> > Cc: Nicolas Schier <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: [email protected] > --- > lib/Kconfig.ubsan | 1 + > scripts/Makefile.ubsan | 3 ++- > scripts/integer-wrap-ignore.scl | 3 +++ > 3 files changed, 6 insertions(+), 1 deletion(-) > create mode 100644 scripts/integer-wrap-ignore.scl > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index 888c2e72c586..4216b3a4ff21 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -125,6 +125,7 @@ config UBSAN_INTEGER_WRAP > depends on $(cc-option,-fsanitize=unsigned-integer-overflow) > depends on $(cc-option,-fsanitize=implicit-signed-integer-truncation) > depends on $(cc-option,-fsanitize=implicit-unsigned-integer-truncation) > + depends on $(cc-option,-fsanitize-ignorelist=/dev/null) > help > This option enables all of the sanitizers involved in integer overflow > (wrap-around) mitigation: signed-integer-overflow, > unsigned-integer-overflow, > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 233379c193a7..9e35198edbf0 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -19,5 +19,6 @@ ubsan-integer-wrap-cflags-$(CONFIG_UBSAN_INTEGER_WRAP) > += \ > -fsanitize=signed-integer-overflow \ > -fsanitize=unsigned-integer-overflow \ > -fsanitize=implicit-signed-integer-truncation \ > - -fsanitize=implicit-unsigned-integer-truncation > + -fsanitize=implicit-unsigned-integer-truncation \ > + -fsanitize-ignorelist=$(srctree)/scripts/integer-wrap-ignore.scl > export CFLAGS_UBSAN_INTEGER_WRAP := $(ubsan-integer-wrap-cflags-y) > diff --git a/scripts/integer-wrap-ignore.scl b/scripts/integer-wrap-ignore.scl > new file mode 100644 > index 000000000000..431c3053a4a2 > --- /dev/null > +++ b/scripts/integer-wrap-ignore.scl > @@ -0,0 +1,3 @@ > +[{unsigned-integer-overflow,signed-integer-overflow,implicit-signed-integer-truncation,implicit-unsigned-integer-truncation}] > +type:* > +type:size_t=sanitize Hi again future travelers, sanitizer special case list support for overflow/truncation sanitizers as well as the "=sanitize" comes from a new Clang 20 feature allowing SCL's to specify sanitize categories, see [2]. > -- > 2.34.1 > > The plumbing looks correct, Reviewed-by: Justin Stitt <[email protected]> [1]: https://discourse.llvm.org/t/rfc-clang-canonical-wrapping-and-non-wrapping-types/84356 [2]: https://github.com/llvm/llvm-project/pull/107332 Thanks Justin
