kubsan — kernel
undefined behavior sanitizer
kubsan detects undefined behavior at
runtime inside the kernel. Detected undefined behavior is printed to the
system console, including the offending line in the source code.
By default, kubsan is not enabled but
instead requires the following line to be present in the kernel
configuration:
The following undefined behavior is detected:
- Float cast overflow
- The conversion from a floating point to an integer cannot be represented
by the destination type.
- Integer overflow
- The result of an arithmetic computation on two integer operands cannot be
represented by the destination type.
- Negate overflow
- Negation of an integer cannot be represented by the destination type.
- Pointer overflow
- Pointer arithmetic overflow.
- Out of bounds
- Array indexing out of bounds, limited to cases where the size of the array
can be statically determined.
- Shift out of bounds
- Undefined logical shift caused by:
- The shift amount being negative.
- The shift operand being negative.
- The shift amount exceeds the number of bits as given by the shift
operand type.
- The result of the shift computation cannot be represented by the
destination type.
- Non-null argument
- Passing
NULL as the value for a function argument
annotated with __nonnull__.
- Invalid builtin
- Passing zero to a compiler builtin where not allowed.
- Invalid load
- Loading a value that cannot be represented by the destination type.
- Type mismatch
- Mismatch between pointer and value type caused by:
- A pointer which does not fulfill the alignment requirements of the
value type.
- A pointer to an address which lacks sufficient space to store the
value type.
- Unreachable
- Execution reached passed a function annotated with
__dead.
The kubsan implementation is derived from
NetBSD and first appeared in
OpenBSD 6.5.
The kubsan implementation is limited to
architectures using clang(1) as
their default compiler.