NAME
kubsan
—
kernel undefined behavior
sanitizer
SYNOPSIS
option KUBSAN
DESCRIPTION
kubsan
detects undefined behavior at
runtime inside the kernel. Detected undefined behavior is printed to the
system console, including the offending line in the source code.
By default, kubsan
is not enabled but
instead requires the following line to be present in the kernel
configuration:
option KUBSAN
The following undefined behavior is detected:
- Integer overflow
- The result of an arithmetic computation on two integer operands cannot be represented by the destination type.
- Negate overflow
- Negation of an integer cannot be represented by the destination type.
- Pointer overflow
- Pointer arithmetic overflow.
- Out of bounds
- Array indexing out of bounds, limited to cases where the size of the array can be statically determined.
- Shift out of bounds
- Undefined logical shift caused by:
- The shift amount being negative.
- The shift operand being negative.
- The shift amount exceeds the number of bits as given by the shift operand type.
- The result of the shift computation cannot be represented by the destination type.
- Non-null argument
- Passing
NULL
as the value for a function argument annotated with__nonnull__
. - Invalid load
- Loading a value that cannot be represented by the destination type.
- Type mismatch
- Mismatch between pointer and value type caused by:
- A pointer which does not fulfill the alignment requirements of the value type.
- A pointer to an address which lacks sufficient space to store the value type.
- Unreachable
- Execution reached passed a function annotated with
__dead
.
SEE ALSO
HISTORY
The kubsan
implementation is derived from
NetBSD and first appeared in
OpenBSD 6.5.
AUTHORS
The kubsan
implementation was written by
Anton Lindqvist
<anton@openbsd.org>.
CAVEATS
The kubsan
implementation is limited to
architectures using
clang(1) as their default compiler.