[U-Boot] [PATCH 0/8] Import Undefined Behavior Sanitizer

[U-Boot] [PATCH 0/8] Import Undefined Behavior Sanitizer

[Eugeniu Rosca]

While certain classes of bugs (e.g. locking related) are totally
irrelevant for U-Boot, undefined behavior is something U-Boot may
experience all over the place and this certainly can lead to hidden
and difficult to debug issues.

As of v4.18, Linux kernel contains roughly 119 UBSAN fixes [1]. Hence
the sanity checker has been quite a productive and useful tool to play
with during development.

Thanks to UBSAN, this series proposes 7 (+1 in [2]) UB fixes, revealed
by a simple cold boot of sandbox and arm64 R-Car Gen3 U-Boot. There
could be more issues in arch/platform/board-specific code, whose
reproduction needs specific hardware.

A certain class of UBs [3] is reported regularly at runtime and looks
to be related to the implementation of U-Boot linker-generated arrays.
I believe some feedback from the authors/maintainers of those is
required to assess if this is a UBSAN false positive or a real bug.

This series collects the low-hanging fruit and leaves others to
experiment with UBSAN themselves.

Best regards,
Eugeniu.

[1] git log --oneline --no-merges --grep UBSAN v4.18 | wc -l
    119
[2] https://patchwork.ozlabs.org/patch/957323/
[3] Either a false-positive or a bug in "include/linker_lists.h":
=================================================================
UBSAN: Undefined behaviour in drivers/core/lists.c:28:26
load of address 000000000075f180 with insufficient space
for an object of type 'char *'
=================================================================

Eugeniu Rosca (8):
  UBSAN: run-time undefined behavior sanity checker
  mmc: Fix "left shift in type int" undefined behavior
  armv8: mmu: Fix "left shift in type int" undefined behavior
  pinctrl: renesas: Fix "left shift in type int" undefined behavior
  net: phy: Fix "left shift in type int" undefined behavior
  net: ravb: Fix "left shift in type int" undefined behavior
  mmc: Fix read-past-end-of-array undefined behavior
  hashtable: Fix zero-sized array undefined behavior

 Makefile                         |   3 +-
 arch/Kconfig                     |   1 +
 arch/arm/Kconfig                 |   1 +
 arch/arm/include/asm/armv8/mmu.h |   8 +-
 drivers/mmc/mmc.c                |   4 +-
 drivers/net/phy/phy.c            |   4 +-
 drivers/net/ravb.c               |  16 +-
 drivers/pinctrl/renesas/sh_pfc.h |  14 +-
 examples/standalone/Makefile     |   2 +
 include/linux/compat.h           |   3 +
 include/search.h                 |   2 +-
 lib/Kconfig                      |   1 +
 lib/Kconfig.ubsan                |  29 ++
 lib/Makefile                     |   3 +
 lib/hashtable.c                  |   4 +-
 lib/linux_compat.c               |   3 +
 lib/ubsan.c                      | 461 +++++++++++++++++++++++++++++++
 lib/ubsan.h                      |  94 +++++++
 scripts/Makefile.lib             |   6 +
 scripts/Makefile.ubsan           |  20 ++
 20 files changed, 652 insertions(+), 27 deletions(-)
 create mode 100644 lib/Kconfig.ubsan
 create mode 100644 lib/ubsan.c
 create mode 100644 lib/ubsan.h
 create mode 100644 scripts/Makefile.ubsan

-- 
2.18.0

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[Eugeniu Rosca]

Import Undefined Behavior SANitizer from Linux Kernel v4.18, as
implemented by Andrey Ryabinin <aryabinin@virtuozzo.com>.

Roughly, the UBSAN development history in Linux kernel looks like:

$ git log --format="%h (\"%s\")" --no-merges -- "*ubsan*"
v4.18     3ca17b1f3628 ("lib/ubsan: remove null-pointer checks")
v4.17-rc1 317506009216 ("lib/test_ubsan.c: make test_ubsan_misaligned_access() static")
v4.17-rc1 854686f4edf4 ("lib: add testing module for UBSAN")
v4.16-rc1 bac7a1fff792 ("lib/ubsan: remove returns-nonnull-attribute checks")
v4.16-rc1 42440c1f9911 ("lib/ubsan: add type mismatch handler for new GCC/Clang")
v4.16-rc1 b8fe1120b4ba ("lib/ubsan.c: s/missaligned/misaligned/")
v4.14-rc8 b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license")
v4.10-rc1 0462554707d6 ("Kconfig: lib/Kconfig.ubsan fix reference to ubsan documentation")
 v4.9-rc5 a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning for "make W=1"")
 v4.9-rc1 725c4d22bbc4 ("ubsan: allow to disable the null sanitizer")
 v4.9-rc1 1ead009cd622 ("docs: sphinxify ubsan.txt and move it to dev-tools")
 v4.8-rc1 901d805c33fc ("UBSAN: fix typo in format string")
 v4.8-rc1 6e8d666e9253 ("Disable "maybe-uninitialized" warning globally")
 v4.6-rc1 dde5cf39d4d2 ("ubsan: fix tree-wide -Wmaybe-uninitialized false positives")
 v4.5-rc4 7707535ab95e ("ubsan: cosmetic fix to Kconfig text")
 v4.5-rc1 c6d308534aef ("UBSAN: run-time undefined behavior sanity checker")

What's not interesting for U-Boot is:
 - 317506009216 ("lib/test_ubsan.c: make test_ubsan_misaligned_access() static")
 - 854686f4edf4 ("lib: add testing module for UBSAN")
   since they add a module-only test functionality.
 - any Documentation commits.

Since dump_stack() evaluates to NOOP in U-Boot, the UBSAN report
retains only the header from the original kernel report.

As example, below is a UB found in U-Boot thanks to UBSAN:

====================================================================
UBSAN: Undefined behaviour in drivers/net/phy/phy.c:728:19
left shift of 1 by 31 places cannot be represented in type 'int'
====================================================================

For comparison, below is a full-fledged kernel UBSAN report, based on
Linux kernel commit 0dfc0c792d69 ("iommu/vt-d: fix shift-out-of-bounds
in bug checking"):

================================================================================
UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3
shift exponent 64 is too large for 32-bit type 'int'
CPU: 2 PID: 0 Comm: swapper/2 Tainted: G     U            4.17.0-rc1+ #89
Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
Call Trace:
 <IRQ>
 dump_stack+0x90/0xfb
 ubsan_epilogue+0x9/0x40
 __ubsan_handle_shift_out_of_bounds+0x10e/0x170
 ? qi_flush_dev_iotlb+0x124/0x180
------[snip]-----
 apic_timer_interrupt+0xf/0x20
 </IRQ>
RIP: 0010:poll_idle+0x60/0xe7
RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f
RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000
RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205
R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d
R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000
 cpuidle_enter_state+0xb4/0x470
 do_idle+0x222/0x310
 cpu_startup_entry+0x78/0x90
 start_secondary+0x205/0x2e0
 secondary_startup_64+0xa5/0xb0
================================================================================

To enable UBSAN, two prerequisites must be met from Kconfig perspective:
 - ARCH has to select CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL
 - defconfig has to enable CONFIG_UBSAN

This commit selects CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL for SANDBOX and
ARM64 (r8a7795_salvator-x_defconfig is the only tested ARM64 platform).
No defconfig changes are expected, since UBSAN is a development (not
production) option. With CONFIG_UBSAN disabled, no functional change
is expected from this commit.

The size increase of sanbox U-Boot (gcc 8.1.0):
$ size u-boot.sandbox.*
   text	   data	    bss	    dec	    hex	filename
1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
+187752 +192192       0 +379944

The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
$ size u-boot.r8a7795-salvator-x.*
   text	   data	    bss	    dec	    hex	filename
 589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
 810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
+221014  +79800       0 +300814

Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 Makefile                     |   3 +-
 arch/Kconfig                 |   1 +
 arch/arm/Kconfig             |   1 +
 examples/standalone/Makefile |   2 +
 include/linux/compat.h       |   3 +
 lib/Kconfig                  |   1 +
 lib/Kconfig.ubsan            |  29 +++++++++
 lib/Makefile                 |   3 +
 lib/linux_compat.c           |   3 +
 lib/ubsan.c                  | 461 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/ubsan.h                  |  94 +++++++++++++++++++++++++++++
 scripts/Makefile.lib         |   6 ++
 scripts/Makefile.ubsan       |  20 +++++++
 13 files changed, 626 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 2f79204b2393..23210c7aec6a 100644
--- a/Makefile
+++ b/Makefile
@@ -387,7 +387,7 @@ export MAKE LEX YACC AWK PERL PYTHON PYTHON2 PYTHON3
 export HOSTCXX HOSTCXXFLAGS CHECK CHECKFLAGS DTC DTC_FLAGS
 
 export KBUILD_CPPFLAGS NOSTDINC_FLAGS UBOOTINCLUDE OBJCOPYFLAGS LDFLAGS
-export KBUILD_CFLAGS KBUILD_AFLAGS
+export KBUILD_CFLAGS KBUILD_AFLAGS CFLAGS_UBSAN
 
 # When compiling out-of-tree modules, put MODVERDIR in the module
 # tree rather than in the kernel tree. The kernel tree might
@@ -644,6 +644,7 @@ endif
 KBUILD_CFLAGS   += $(call cc-option,-Werror=date-time)
 
 include scripts/Makefile.extrawarn
+include scripts/Makefile.ubsan
 
 # Add user supplied CPPFLAGS, AFLAGS and CFLAGS as the last assignments
 KBUILD_CPPFLAGS += $(KCPPFLAGS)
diff --git a/arch/Kconfig b/arch/Kconfig
index bf1b4a9afac6..340ec2829928 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -65,6 +65,7 @@ config RISCV
 
 config SANDBOX
 	bool "Sandbox"
+	select ARCH_HAS_UBSAN_SANITIZE_ALL
 	select BOARD_LATE_INIT
 	select DM
 	select DM_GPIO
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 9f5eaf8591b6..0905ebce7004 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -6,6 +6,7 @@ config SYS_ARCH
 
 config ARM64
 	bool
+	select ARCH_HAS_UBSAN_SANITIZE_ALL
 	select PHYS_64BIT
 	select SYS_CACHE_SHIFT_6
 
diff --git a/examples/standalone/Makefile b/examples/standalone/Makefile
index 09364d84a0ad..66716d37465a 100644
--- a/examples/standalone/Makefile
+++ b/examples/standalone/Makefile
@@ -3,6 +3,8 @@
 # (C) Copyright 2000-2006
 # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
 
+UBSAN_SANITIZE := n
+
 extra-y        := hello_world
 extra-$(CONFIG_SMC91111)           += smc91111_eeprom
 extra-$(CONFIG_SMC911X)            += smc911x_eeprom
diff --git a/include/linux/compat.h b/include/linux/compat.h
index 6e3feb64d2d5..e851b2982d76 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -11,6 +11,9 @@ typedef struct unused unused_t;
 
 struct p_current{
        int pid;
+#ifdef CONFIG_UBSAN
+	unsigned int in_ubsan;
+#endif
 };
 
 extern struct p_current *current;
diff --git a/lib/Kconfig b/lib/Kconfig
index 622f3c26c331..251903af9e6b 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -375,6 +375,7 @@ endmenu
 
 source lib/efi/Kconfig
 source lib/efi_loader/Kconfig
+source lib/Kconfig.ubsan
 source lib/optee/Kconfig
 
 endmenu
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
new file mode 100644
index 000000000000..dbbfe974221d
--- /dev/null
+++ b/lib/Kconfig.ubsan
@@ -0,0 +1,29 @@
+config ARCH_HAS_UBSAN_SANITIZE_ALL
+	bool
+
+config UBSAN
+	bool "Undefined behaviour sanity checker"
+	help
+	  This option enables undefined behaviour sanity checker
+	  Compile-time instrumentation is used to detect various undefined
+	  behaviours in runtime.
+
+config UBSAN_SANITIZE_ALL
+	bool "Enable instrumentation for the entire kernel"
+	depends on UBSAN
+	depends on ARCH_HAS_UBSAN_SANITIZE_ALL
+	default y
+	help
+	  This option activates instrumentation for the entire kernel.
+	  If you don't enable this option, you have to explicitly specify
+	  UBSAN_SANITIZE := y for the files/directories you want to check for UB.
+	  Enabling this option will get kernel image size increased
+	  significantly.
+
+config UBSAN_ALIGNMENT
+	bool "Enable checking of pointers alignment"
+	depends on UBSAN
+	help
+	  This option enables detection of unaligned memory accesses.
+	  Enabling this option on architectures that support unaligned
+	  accesses may produce a lot of false positives.
diff --git a/lib/Makefile b/lib/Makefile
index 5f583aed37d9..099a49032a02 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -18,6 +18,9 @@ obj-$(CONFIG_CMD_DHRYSTONE) += dhry/
 obj-$(CONFIG_ARCH_AT91) += at91/
 obj-$(CONFIG_OPTEE) += optee/
 
+obj-$(CONFIG_UBSAN) += ubsan.o
+UBSAN_SANITIZE_ubsan.o := n
+
 obj-$(CONFIG_AES) += aes.o
 obj-y += charset.o
 obj-$(CONFIG_USB_TTY) += circbuf.o
diff --git a/lib/linux_compat.c b/lib/linux_compat.c
index a936a7eac214..4dd89b50e924 100644
--- a/lib/linux_compat.c
+++ b/lib/linux_compat.c
@@ -4,6 +4,9 @@
 
 struct p_current cur = {
 	.pid = 1,
+#ifdef CONFIG_UBSAN
+	.in_ubsan = 0,
+#endif
 };
 __maybe_unused struct p_current *current = &cur;
 
diff --git a/lib/ubsan.c b/lib/ubsan.c
new file mode 100644
index 000000000000..642ef9f02c00
--- /dev/null
+++ b/lib/ubsan.c
@@ -0,0 +1,461 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * UBSAN error reporting functions
+ *
+ * Copyright (c) 2014 Samsung Electronics Co., Ltd.
+ * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+ */
+
+#include <linux/bitops.h>
+#include <linux/bug.h>
+#include <linux/ctype.h>
+#include <linux/kernel.h>
+#include <linux/types.h>
+
+#ifdef __UBOOT__
+#include <linux/compat.h>
+#include <common.h>
+#endif
+
+#include "ubsan.h"
+
+const char *type_check_kinds[] = {
+	"load of",
+	"store to",
+	"reference binding to",
+	"member access within",
+	"member call on",
+	"constructor call on",
+	"downcast of",
+	"downcast of"
+};
+
+#define REPORTED_BIT 31
+
+#if (BITS_PER_LONG == 64) && defined(__BIG_ENDIAN)
+#define COLUMN_MASK (~(1U << REPORTED_BIT))
+#define LINE_MASK   (~0U)
+#else
+#define COLUMN_MASK   (~0U)
+#define LINE_MASK (~(1U << REPORTED_BIT))
+#endif
+
+#define VALUE_LENGTH 40
+
+static bool was_reported(struct source_location *location)
+{
+	return test_and_set_bit(REPORTED_BIT, &location->reported);
+}
+
+static void print_source_location(const char *prefix,
+				struct source_location *loc)
+{
+	pr_err("%s %s:%d:%d\n", prefix, loc->file_name,
+		loc->line & LINE_MASK, loc->column & COLUMN_MASK);
+}
+
+static bool suppress_report(struct source_location *loc)
+{
+	return current->in_ubsan || was_reported(loc);
+}
+
+static bool type_is_int(struct type_descriptor *type)
+{
+	return type->type_kind == type_kind_int;
+}
+
+static bool type_is_signed(struct type_descriptor *type)
+{
+	WARN_ON(!type_is_int(type));
+	return  type->type_info & 1;
+}
+
+static unsigned type_bit_width(struct type_descriptor *type)
+{
+	return 1 << (type->type_info >> 1);
+}
+
+static bool is_inline_int(struct type_descriptor *type)
+{
+	unsigned inline_bits = sizeof(unsigned long)*8;
+	unsigned bits = type_bit_width(type);
+
+	WARN_ON(!type_is_int(type));
+
+	return bits <= inline_bits;
+}
+
+static s_max get_signed_val(struct type_descriptor *type, unsigned long val)
+{
+	if (is_inline_int(type)) {
+		unsigned extra_bits = sizeof(s_max)*8 - type_bit_width(type);
+		return ((s_max)val) << extra_bits >> extra_bits;
+	}
+
+	if (type_bit_width(type) == 64)
+		return *(s64 *)val;
+
+	return *(s_max *)val;
+}
+
+static bool val_is_negative(struct type_descriptor *type, unsigned long val)
+{
+	return type_is_signed(type) && get_signed_val(type, val) < 0;
+}
+
+static u_max get_unsigned_val(struct type_descriptor *type, unsigned long val)
+{
+	if (is_inline_int(type))
+		return val;
+
+	if (type_bit_width(type) == 64)
+		return *(u64 *)val;
+
+	return *(u_max *)val;
+}
+
+static void val_to_string(char *str, size_t size, struct type_descriptor *type,
+	unsigned long value)
+{
+	if (type_is_int(type)) {
+		if (type_bit_width(type) == 128) {
+#if defined(CONFIG_ARCH_SUPPORTS_INT128) && defined(__SIZEOF_INT128__)
+			u_max val = get_unsigned_val(type, value);
+
+			scnprintf(str, size, "0x%08x%08x%08x%08x",
+				(u32)(val >> 96),
+				(u32)(val >> 64),
+				(u32)(val >> 32),
+				(u32)(val));
+#else
+			WARN_ON(1);
+#endif
+		} else if (type_is_signed(type)) {
+			scnprintf(str, size, "%lld",
+				(s64)get_signed_val(type, value));
+		} else {
+			scnprintf(str, size, "%llu",
+				(u64)get_unsigned_val(type, value));
+		}
+	}
+}
+
+#ifndef __UBOOT__
+static DEFINE_SPINLOCK(report_lock);
+#endif
+
+static void ubsan_prologue(struct source_location *location,
+			unsigned long *flags)
+{
+	current->in_ubsan++;
+	spin_lock_irqsave(&report_lock, *flags);
+
+	pr_err("========================================"
+		"========================================\n");
+	print_source_location("UBSAN: Undefined behaviour in", location);
+}
+
+static void ubsan_epilogue(unsigned long *flags)
+{
+	dump_stack();
+	pr_err("========================================"
+		"========================================\n");
+	spin_unlock_irqrestore(&report_lock, *flags);
+	current->in_ubsan--;
+}
+
+static void handle_overflow(struct overflow_data *data, unsigned long lhs,
+			unsigned long rhs, char op)
+{
+
+	struct type_descriptor *type = data->type;
+	unsigned long flags;
+	char lhs_val_str[VALUE_LENGTH];
+	char rhs_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(lhs_val_str, sizeof(lhs_val_str), type, lhs);
+	val_to_string(rhs_val_str, sizeof(rhs_val_str), type, rhs);
+	pr_err("%s integer overflow:\n",
+		type_is_signed(type) ? "signed" : "unsigned");
+	pr_err("%s %c %s cannot be represented in type %s\n",
+		lhs_val_str,
+		op,
+		rhs_val_str,
+		type->type_name);
+
+	ubsan_epilogue(&flags);
+}
+
+void __ubsan_handle_add_overflow(struct overflow_data *data,
+				unsigned long lhs,
+				unsigned long rhs)
+{
+
+	handle_overflow(data, lhs, rhs, '+');
+}
+EXPORT_SYMBOL(__ubsan_handle_add_overflow);
+
+void __ubsan_handle_sub_overflow(struct overflow_data *data,
+				unsigned long lhs,
+				unsigned long rhs)
+{
+	handle_overflow(data, lhs, rhs, '-');
+}
+EXPORT_SYMBOL(__ubsan_handle_sub_overflow);
+
+void __ubsan_handle_mul_overflow(struct overflow_data *data,
+				unsigned long lhs,
+				unsigned long rhs)
+{
+	handle_overflow(data, lhs, rhs, '*');
+}
+EXPORT_SYMBOL(__ubsan_handle_mul_overflow);
+
+void __ubsan_handle_negate_overflow(struct overflow_data *data,
+				unsigned long old_val)
+{
+	unsigned long flags;
+	char old_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(old_val_str, sizeof(old_val_str), data->type, old_val);
+
+	pr_err("negation of %s cannot be represented in type %s:\n",
+		old_val_str, data->type->type_name);
+
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_negate_overflow);
+
+
+void __ubsan_handle_divrem_overflow(struct overflow_data *data,
+				unsigned long lhs,
+				unsigned long rhs)
+{
+	unsigned long flags;
+	char rhs_val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(rhs_val_str, sizeof(rhs_val_str), data->type, rhs);
+
+	if (type_is_signed(data->type) && get_signed_val(data->type, rhs) == -1)
+		pr_err("division of %s by -1 cannot be represented in type %s\n",
+			rhs_val_str, data->type->type_name);
+	else
+		pr_err("division by zero\n");
+
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_divrem_overflow);
+
+static void handle_null_ptr_deref(struct type_mismatch_data_common *data)
+{
+	unsigned long flags;
+
+	if (suppress_report(data->location))
+		return;
+
+	ubsan_prologue(data->location, &flags);
+
+	pr_err("%s null pointer of type %s\n",
+		type_check_kinds[data->type_check_kind],
+		data->type->type_name);
+
+	ubsan_epilogue(&flags);
+}
+
+static void handle_misaligned_access(struct type_mismatch_data_common *data,
+				unsigned long ptr)
+{
+	unsigned long flags;
+
+	if (suppress_report(data->location))
+		return;
+
+	ubsan_prologue(data->location, &flags);
+
+	pr_err("%s misaligned address %p for type %s\n",
+		type_check_kinds[data->type_check_kind],
+		(void *)ptr, data->type->type_name);
+	pr_err("which requires %ld byte alignment\n", data->alignment);
+
+	ubsan_epilogue(&flags);
+}
+
+static void handle_object_size_mismatch(struct type_mismatch_data_common *data,
+					unsigned long ptr)
+{
+	unsigned long flags;
+
+	if (suppress_report(data->location))
+		return;
+
+	ubsan_prologue(data->location, &flags);
+	pr_err("%s address %p with insufficient space\n",
+		type_check_kinds[data->type_check_kind],
+		(void *) ptr);
+	pr_err("for an object of type %s\n", data->type->type_name);
+	ubsan_epilogue(&flags);
+}
+
+static void ubsan_type_mismatch_common(struct type_mismatch_data_common *data,
+				unsigned long ptr)
+{
+
+	if (!ptr)
+		handle_null_ptr_deref(data);
+	else if (data->alignment && !IS_ALIGNED(ptr, data->alignment))
+		handle_misaligned_access(data, ptr);
+	else
+		handle_object_size_mismatch(data, ptr);
+}
+
+void __ubsan_handle_type_mismatch(struct type_mismatch_data *data,
+				unsigned long ptr)
+{
+	struct type_mismatch_data_common common_data = {
+		.location = &data->location,
+		.type = data->type,
+		.alignment = data->alignment,
+		.type_check_kind = data->type_check_kind
+	};
+
+	ubsan_type_mismatch_common(&common_data, ptr);
+}
+EXPORT_SYMBOL(__ubsan_handle_type_mismatch);
+
+void __ubsan_handle_type_mismatch_v1(struct type_mismatch_data_v1 *data,
+				unsigned long ptr)
+{
+
+	struct type_mismatch_data_common common_data = {
+		.location = &data->location,
+		.type = data->type,
+		.alignment = 1UL << data->log_alignment,
+		.type_check_kind = data->type_check_kind
+	};
+
+	ubsan_type_mismatch_common(&common_data, ptr);
+}
+EXPORT_SYMBOL(__ubsan_handle_type_mismatch_v1);
+
+void __ubsan_handle_vla_bound_not_positive(struct vla_bound_data *data,
+					unsigned long bound)
+{
+	unsigned long flags;
+	char bound_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(bound_str, sizeof(bound_str), data->type, bound);
+	pr_err("variable length array bound value %s <= 0\n", bound_str);
+
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_vla_bound_not_positive);
+
+void __ubsan_handle_out_of_bounds(struct out_of_bounds_data *data,
+				unsigned long index)
+{
+	unsigned long flags;
+	char index_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(index_str, sizeof(index_str), data->index_type, index);
+	pr_err("index %s is out of range for type %s\n", index_str,
+		data->array_type->type_name);
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_out_of_bounds);
+
+void __ubsan_handle_shift_out_of_bounds(struct shift_out_of_bounds_data *data,
+					unsigned long lhs, unsigned long rhs)
+{
+	unsigned long flags;
+	struct type_descriptor *rhs_type = data->rhs_type;
+	struct type_descriptor *lhs_type = data->lhs_type;
+	char rhs_str[VALUE_LENGTH];
+	char lhs_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(rhs_str, sizeof(rhs_str), rhs_type, rhs);
+	val_to_string(lhs_str, sizeof(lhs_str), lhs_type, lhs);
+
+	if (val_is_negative(rhs_type, rhs))
+		pr_err("shift exponent %s is negative\n", rhs_str);
+
+	else if (get_unsigned_val(rhs_type, rhs) >=
+		type_bit_width(lhs_type))
+		pr_err("shift exponent %s is too large for %u-bit type %s\n",
+			rhs_str,
+			type_bit_width(lhs_type),
+			lhs_type->type_name);
+	else if (val_is_negative(lhs_type, lhs))
+		pr_err("left shift of negative value %s\n",
+			lhs_str);
+	else
+		pr_err("left shift of %s by %s places cannot be"
+			" represented in type %s\n",
+			lhs_str, rhs_str,
+			lhs_type->type_name);
+
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_shift_out_of_bounds);
+
+
+void __noreturn
+__ubsan_handle_builtin_unreachable(struct unreachable_data *data)
+{
+	unsigned long flags;
+
+	ubsan_prologue(&data->location, &flags);
+	pr_err("calling __builtin_unreachable()\n");
+	ubsan_epilogue(&flags);
+	panic("can't return from __builtin_unreachable()");
+}
+EXPORT_SYMBOL(__ubsan_handle_builtin_unreachable);
+
+void __ubsan_handle_load_invalid_value(struct invalid_value_data *data,
+				unsigned long val)
+{
+	unsigned long flags;
+	char val_str[VALUE_LENGTH];
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	val_to_string(val_str, sizeof(val_str), data->type, val);
+
+	pr_err("load of value %s is not a valid value for type %s\n",
+		val_str, data->type->type_name);
+
+	ubsan_epilogue(&flags);
+}
+EXPORT_SYMBOL(__ubsan_handle_load_invalid_value);
diff --git a/lib/ubsan.h b/lib/ubsan.h
new file mode 100644
index 000000000000..01efea6bae11
--- /dev/null
+++ b/lib/ubsan.h
@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: GPL-2.0
+#ifndef _LIB_UBSAN_H
+#define _LIB_UBSAN_H
+
+enum {
+	type_kind_int = 0,
+	type_kind_float = 1,
+	type_unknown = 0xffff
+};
+
+struct type_descriptor {
+	u16 type_kind;
+	u16 type_info;
+	char type_name[1];
+};
+
+struct source_location {
+	const char *file_name;
+	union {
+		unsigned long reported;
+		struct {
+			u32 line;
+			u32 column;
+		};
+	};
+};
+
+struct overflow_data {
+	struct source_location location;
+	struct type_descriptor *type;
+};
+
+struct type_mismatch_data {
+	struct source_location location;
+	struct type_descriptor *type;
+	unsigned long alignment;
+	unsigned char type_check_kind;
+};
+
+struct type_mismatch_data_v1 {
+	struct source_location location;
+	struct type_descriptor *type;
+	unsigned char log_alignment;
+	unsigned char type_check_kind;
+};
+
+struct type_mismatch_data_common {
+	struct source_location *location;
+	struct type_descriptor *type;
+	unsigned long alignment;
+	unsigned char type_check_kind;
+};
+
+struct nonnull_arg_data {
+	struct source_location location;
+	struct source_location attr_location;
+	int arg_index;
+};
+
+struct vla_bound_data {
+	struct source_location location;
+	struct type_descriptor *type;
+};
+
+struct out_of_bounds_data {
+	struct source_location location;
+	struct type_descriptor *array_type;
+	struct type_descriptor *index_type;
+};
+
+struct shift_out_of_bounds_data {
+	struct source_location location;
+	struct type_descriptor *lhs_type;
+	struct type_descriptor *rhs_type;
+};
+
+struct unreachable_data {
+	struct source_location location;
+};
+
+struct invalid_value_data {
+	struct source_location location;
+	struct type_descriptor *type;
+};
+
+#if defined(CONFIG_ARCH_SUPPORTS_INT128) && defined(__SIZEOF_INT128__)
+typedef __int128 s_max;
+typedef unsigned __int128 u_max;
+#else
+typedef s64 s_max;
+typedef u64 u_max;
+#endif
+
+#endif
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index f8c3fff1d151..ccf683265fcb 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -131,6 +131,12 @@ _c_flags += $(if $(patsubst n%,, \
 		$(CFLAGS_KASAN))
 endif
 
+ifeq ($(CONFIG_UBSAN),y)
+_c_flags += $(if $(patsubst n%,, \
+		$(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_SANITIZE)$(CONFIG_UBSAN_SANITIZE_ALL)), \
+		$(CFLAGS_UBSAN))
+endif
+
 # If building the kernel in a separate objtree expand all occurrences
 # of -Idir to -I$(srctree)/dir except for absolute paths (starting with '/').
 
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan
new file mode 100644
index 000000000000..38b2b4818e8e
--- /dev/null
+++ b/scripts/Makefile.ubsan
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: GPL-2.0
+ifdef CONFIG_UBSAN
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=shift)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=vla-bound)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=bool)
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=enum)
+
+ifdef CONFIG_UBSAN_ALIGNMENT
+      CFLAGS_UBSAN += $(call cc-option, -fsanitize=alignment)
+endif
+
+      # -fsanitize=* options makes GCC less smart than usual and
+      # increase number of 'maybe-uninitialized false-positives
+      CFLAGS_UBSAN += $(call cc-option, -Wno-maybe-uninitialized)
+endif
-- 
2.18.0

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[Tom Rini]

On Mon, Aug 20, 2018 at 02:00:25AM +0200, Eugeniu Rosca wrote:

> Import Undefined Behavior SANitizer from Linux Kernel v4.18, as
> implemented by Andrey Ryabinin <aryabinin@virtuozzo.com>.
> 
> Roughly, the UBSAN development history in Linux kernel looks like:
> 
> $ git log --format="%h (\"%s\")" --no-merges -- "*ubsan*"
> v4.18     3ca17b1f3628 ("lib/ubsan: remove null-pointer checks")
> v4.17-rc1 317506009216 ("lib/test_ubsan.c: make test_ubsan_misaligned_access() static")
> v4.17-rc1 854686f4edf4 ("lib: add testing module for UBSAN")
> v4.16-rc1 bac7a1fff792 ("lib/ubsan: remove returns-nonnull-attribute checks")
> v4.16-rc1 42440c1f9911 ("lib/ubsan: add type mismatch handler for new GCC/Clang")
> v4.16-rc1 b8fe1120b4ba ("lib/ubsan.c: s/missaligned/misaligned/")
> v4.14-rc8 b24413180f56 ("License cleanup: add SPDX GPL-2.0 license identifier to files with no license")
> v4.10-rc1 0462554707d6 ("Kconfig: lib/Kconfig.ubsan fix reference to ubsan documentation")
>  v4.9-rc5 a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning for "make W=1"")
>  v4.9-rc1 725c4d22bbc4 ("ubsan: allow to disable the null sanitizer")
>  v4.9-rc1 1ead009cd622 ("docs: sphinxify ubsan.txt and move it to dev-tools")
>  v4.8-rc1 901d805c33fc ("UBSAN: fix typo in format string")
>  v4.8-rc1 6e8d666e9253 ("Disable "maybe-uninitialized" warning globally")
>  v4.6-rc1 dde5cf39d4d2 ("ubsan: fix tree-wide -Wmaybe-uninitialized false positives")
>  v4.5-rc4 7707535ab95e ("ubsan: cosmetic fix to Kconfig text")
>  v4.5-rc1 c6d308534aef ("UBSAN: run-time undefined behavior sanity checker")
> 
> What's not interesting for U-Boot is:
>  - 317506009216 ("lib/test_ubsan.c: make test_ubsan_misaligned_access() static")
>  - 854686f4edf4 ("lib: add testing module for UBSAN")
>    since they add a module-only test functionality.
>  - any Documentation commits.
> 
> Since dump_stack() evaluates to NOOP in U-Boot, the UBSAN report
> retains only the header from the original kernel report.
> 
> As example, below is a UB found in U-Boot thanks to UBSAN:
> 
> ====================================================================
> UBSAN: Undefined behaviour in drivers/net/phy/phy.c:728:19
> left shift of 1 by 31 places cannot be represented in type 'int'
> ====================================================================
> 
> For comparison, below is a full-fledged kernel UBSAN report, based on
> Linux kernel commit 0dfc0c792d69 ("iommu/vt-d: fix shift-out-of-bounds
> in bug checking"):
> 
> ================================================================================
> UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3
> shift exponent 64 is too large for 32-bit type 'int'
> CPU: 2 PID: 0 Comm: swapper/2 Tainted: G     U            4.17.0-rc1+ #89
> Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
> Call Trace:
>  <IRQ>
>  dump_stack+0x90/0xfb
>  ubsan_epilogue+0x9/0x40
>  __ubsan_handle_shift_out_of_bounds+0x10e/0x170
>  ? qi_flush_dev_iotlb+0x124/0x180
> ------[snip]-----
>  apic_timer_interrupt+0xf/0x20
>  </IRQ>
> RIP: 0010:poll_idle+0x60/0xe7
> RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f
> RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000
> RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205
> R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d
> R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000
>  cpuidle_enter_state+0xb4/0x470
>  do_idle+0x222/0x310
>  cpu_startup_entry+0x78/0x90
>  start_secondary+0x205/0x2e0
>  secondary_startup_64+0xa5/0xb0
> ================================================================================
> 
> To enable UBSAN, two prerequisites must be met from Kconfig perspective:
>  - ARCH has to select CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL
>  - defconfig has to enable CONFIG_UBSAN
> 
> This commit selects CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL for SANDBOX and
> ARM64 (r8a7795_salvator-x_defconfig is the only tested ARM64 platform).
> No defconfig changes are expected, since UBSAN is a development (not
> production) option. With CONFIG_UBSAN disabled, no functional change
> is expected from this commit.
> 
> The size increase of sanbox U-Boot (gcc 8.1.0):
> $ size u-boot.sandbox.*
>    text	   data	    bss	    dec	    hex	filename
> 1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
> 1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
> +187752 +192192       0 +379944
> 
> The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
> $ size u-boot.r8a7795-salvator-x.*
>    text	   data	    bss	    dec	    hex	filename
>  589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
>  810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
> +221014  +79800       0 +300814

Can we re-work this so that there isn't a size increase unless UBSAN is
enabled?  I ask since I think for a v2 we should be able to say more
broadly that just about everyone can enable this, but only out of the
box sandbox should.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180819/e538e2ff/attachment.sig>

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[Eugeniu Rosca]

Hi Tom,

On Sun, Aug 19, 2018 at 09:51:32PM -0400, Tom Rini wrote:
> On Mon, Aug 20, 2018 at 02:00:25AM +0200, Eugeniu Rosca wrote:
[..]
> > To enable UBSAN, two prerequisites must be met from Kconfig perspective:
> >  - ARCH has to select CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL
> >  - defconfig has to enable CONFIG_UBSAN
> > 
> > This commit selects CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL for SANDBOX and
> > ARM64 (r8a7795_salvator-x_defconfig is the only tested ARM64 platform).
> > No defconfig changes are expected, since UBSAN is a development (not
> > production) option. With CONFIG_UBSAN disabled, no functional change
> > is expected from this commit.
> > 
> > The size increase of sanbox U-Boot (gcc 8.1.0):
> > $ size u-boot.sandbox.*
> >    text	   data	    bss	    dec	    hex	filename
> > 1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
> > 1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
> > +187752 +192192       0 +379944
> > 
> > The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
> > $ size u-boot.r8a7795-salvator-x.*
> >    text	   data	    bss	    dec	    hex	filename
> >  589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
> >  810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
> > +221014  +79800       0 +300814
> 
> Can we re-work this so that there isn't a size increase unless UBSAN is
> enabled?  I ask since I think for a v2 we should be able to say more
> broadly that just about everyone can enable this, but only out of the
> box sandbox should.

Sorry for the confusion. This commit alone does not contribute with any
U-Boot binary size increase. The numbers provided above assume enabling
and disabling CONFIG_UBSAN by hand via menuconfig/defconfig. I could
relocate the numbers to a separate patch updating the sandbox_defconfig,
if UBSAN is wanted there by default. That said, I think the contents of
this commit already complies with your particular request stated above.

> 
> -- 
> Tom

Thanks,
Eugeniu.

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[Tom Rini]

On Mon, Aug 20, 2018 at 02:54:09PM +0200, Eugeniu Rosca wrote:
> Hi Tom,
> 
> On Sun, Aug 19, 2018 at 09:51:32PM -0400, Tom Rini wrote:
> > On Mon, Aug 20, 2018 at 02:00:25AM +0200, Eugeniu Rosca wrote:
> [..]
> > > To enable UBSAN, two prerequisites must be met from Kconfig perspective:
> > >  - ARCH has to select CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL
> > >  - defconfig has to enable CONFIG_UBSAN
> > > 
> > > This commit selects CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL for SANDBOX and
> > > ARM64 (r8a7795_salvator-x_defconfig is the only tested ARM64 platform).
> > > No defconfig changes are expected, since UBSAN is a development (not
> > > production) option. With CONFIG_UBSAN disabled, no functional change
> > > is expected from this commit.
> > > 
> > > The size increase of sanbox U-Boot (gcc 8.1.0):
> > > $ size u-boot.sandbox.*
> > >    text	   data	    bss	    dec	    hex	filename
> > > 1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
> > > 1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
> > > +187752 +192192       0 +379944
> > > 
> > > The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
> > > $ size u-boot.r8a7795-salvator-x.*
> > >    text	   data	    bss	    dec	    hex	filename
> > >  589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
> > >  810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
> > > +221014  +79800       0 +300814
> > 
> > Can we re-work this so that there isn't a size increase unless UBSAN is
> > enabled?  I ask since I think for a v2 we should be able to say more
> > broadly that just about everyone can enable this, but only out of the
> > box sandbox should.
> 
> Sorry for the confusion. This commit alone does not contribute with any
> U-Boot binary size increase. The numbers provided above assume enabling
> and disabling CONFIG_UBSAN by hand via menuconfig/defconfig. I could
> relocate the numbers to a separate patch updating the sandbox_defconfig,
> if UBSAN is wanted there by default. That said, I think the contents of
> this commit already complies with your particular request stated above.

Ah, ok.  I think it should be a bit split up into introducing framework
and then enabling on sandbox, and that's where we show the size
increase.  But I do also think we should be able to enable the framework
on most targets.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180820/f52224a6/attachment.sig>

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[York Sun]

On 08/19/2018 05:04 PM, Eugeniu Rosca wrote:
<snip>
> 
> The size increase of sanbox U-Boot (gcc 8.1.0):
> $ size u-boot.sandbox.*
>    text	   data	    bss	    dec	    hex	filename
> 1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
> 1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
> +187752 +192192       0 +379944
> 
> The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
> $ size u-boot.r8a7795-salvator-x.*
>    text	   data	    bss	    dec	    hex	filename
>  589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
>  810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
> +221014  +79800       0 +300814
>
I wonder if SPL can take advantage of this. Size is sensitive for SPL.

York

[U-Boot] [PATCH 1/8] UBSAN: run-time undefined behavior sanity checker

[Eugeniu Rosca]

On Mon, Aug 20, 2018 at 03:00:31PM +0000, York Sun wrote:
> On 08/19/2018 05:04 PM, Eugeniu Rosca wrote:
> <snip>
> > 
> > The size increase of sanbox U-Boot (gcc 8.1.0):
> > $ size u-boot.sandbox.*
> >    text	   data	    bss	    dec	    hex	filename
> > 1234958	  80048	 291472	1606478	 18834e	u-boot.sandbox.default
> > 1422710	 272240	 291472	1986422	 1e4f76	u-boot.sandbox.ubsan
> > +187752 +192192       0 +379944
> > 
> > The size increase of H3 Salvator-X U-Boot (aarch64-linux-gnu-gcc 7.2.1):
> > $ size u-boot.r8a7795-salvator-x.*
> >    text	   data	    bss	    dec	    hex	filename
> >  589954	  23504	 263984	 877442	  d6382	u-boot.r8a7795-salvator-x.default
> >  810968	 103304	 263984	1178256	 11fa90	u-boot.r8a7795-salvator-x.ubsan
> > +221014  +79800       0 +300814
> >
> I wonder if SPL can take advantage of this. Size is sensitive for SPL.

To build SPL, below fix is required (will be squashed into v2):

diff --git a/lib/Makefile b/lib/Makefile
index 099a49032a02..0ae2c121cacf 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -18,9 +18,6 @@ obj-$(CONFIG_CMD_DHRYSTONE) += dhry/
 obj-$(CONFIG_ARCH_AT91) += at91/
 obj-$(CONFIG_OPTEE) += optee/
 
-obj-$(CONFIG_UBSAN) += ubsan.o
-UBSAN_SANITIZE_ubsan.o := n
-
 obj-$(CONFIG_AES) += aes.o
 obj-y += charset.o
 obj-$(CONFIG_USB_TTY) += circbuf.o
@@ -54,6 +51,8 @@ endif
 obj-$(CONFIG_RSA) += rsa/
 obj-$(CONFIG_SHA1) += sha1.o
 obj-$(CONFIG_SHA256) += sha256.o
+obj-$(CONFIG_UBSAN) += ubsan.o
+UBSAN_SANITIZE_ubsan.o := n
 
 obj-$(CONFIG_$(SPL_)ZLIB) += zlib/
 obj-$(CONFIG_$(SPL_)GZIP) += gunzip.o

With respect to the ELF/BIN size, I get below numbers using
sandbox_spl_defconfig:

$ size u-boot-spl.default u-boot-spl.ubsan
   text	   data	    bss	    dec	    hex	filename
  58097	   5552	    672	  64321	   fb41	u-boot-spl.default
  74041	  25456	    672	 100169	  18749	u-boot-spl.ubsan

$ du -b u-boot-spl-nodtb.bin.default u-boot-spl-nodtb.bin.ubsan
2163064	u-boot-spl-nodtb.bin.default
2199352	u-boot-spl-nodtb.bin.ubsan

FWIW https://github.com/google/bloaty reports:

$ bloaty u-boot-spl.ubsan -- u-boot-spl.default
     VM SIZE                      FILE SIZE
 --------------                --------------
  [ = ]       0 .debug_info    +41.8Ki  +6.7%
  +727% +19.4Ki .data          +19.4Ki  +727%
  [ = ]       0 .debug_loc     +10.1Ki  +3.1%
   +32% +10.1Ki .text          +10.1Ki   +32%
  [ = ]       0 .debug_line    +7.38Ki  +4.9%
   +46% +3.78Ki .rodata        +3.78Ki   +46%
  [ = ]       0 .debug_abbrev  +2.25Ki  +2.6%
  [ = ]       0 .debug_str     +1.63Ki  +3.1%
   +15% +1.56Ki .eh_frame      +1.56Ki   +15%
  [ = ]       0 .debug_ranges     +880  +2.3%
  [ = ]       0 .symtab           +624  +4.2%
  [ = ]       0 .strtab           +548  +6.3%
  [ = ]       0 .debug_aranges    +416  +2.4%
  [ = ]       0 [Unmapped]        +416   +19%
  +6.7%    +152 .eh_frame_hdr     +152  +6.7%
   +37%     +16 [LOAD [RX]]        +16   +37%
   +55% +35.0Ki TOTAL           +101Ki  +7.3%

Except for some untreated UBs, I experienced no issues running
the sandbox SPL U-Boot.

> York

Best regards,
Eugeniu.

[U-Boot] [PATCH 2/8] mmc: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Below is reproduced both with sandbox and R-Car Gen3 arm64 U-Boot:

===================================================================
UBSAN: Undefined behaviour in drivers/mmc/mmc.c:1147:21
left shift of 1 by 31 places cannot be represented in type 'int'
===================================================================

Fixes: 272cc70b211e ("Add MMC Framework")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/mmc/mmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
index ad429f49c992..447519f46f15 100644
--- a/drivers/mmc/mmc.c
+++ b/drivers/mmc/mmc.c
@@ -1136,7 +1136,7 @@ int mmc_getcd(struct mmc *mmc)
 #endif
 
 #if !CONFIG_IS_ENABLED(MMC_TINY)
-static int sd_switch(struct mmc *mmc, int mode, int group, u8 value, u8 *resp)
+static int sd_switch(struct mmc *mmc, uint mode, int group, u8 value, u8 *resp)
 {
 	struct mmc_cmd cmd;
 	struct mmc_data data;
-- 
2.18.0

[U-Boot] [PATCH 3/8] armv8: mmu: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Fix the following UBSAN warnings:

------8<-----
CPU: Renesas Electronics R8A7795 rev 2.0
Model: Renesas Salvator-X board based on r8a7795 ES2.0+
====================================================================
UBSAN: Undefined behaviour in arch/arm/cpu/armv8/cache_v8.c:72:9
left shift of 1 by 31 places cannot be represented in type 'int'
====================================================================
====================================================================
UBSAN: Undefined behaviour in arch/arm/cpu/armv8/cache_v8.c:74:9
left shift of 1 by 31 places cannot be represented in type 'int'
====================================================================
------8<-----

While@it, convert to BIT() macro all current "1 << X" shift
constructs with X >= 15, which may lead to the same UB, if untreated.

Fixes: ad3d6e88a1a4 ("armv8/mmu: Set bits marked RES1 in TCR")
Fixes: 9bb367a590fe ("arm64: Disable TTBR1 maps in EL1")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 arch/arm/include/asm/armv8/mmu.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm/include/asm/armv8/mmu.h b/arch/arm/include/asm/armv8/mmu.h
index 62d00d15c26d..b2ce13db0d2b 100644
--- a/arch/arm/include/asm/armv8/mmu.h
+++ b/arch/arm/include/asm/armv8/mmu.h
@@ -94,11 +94,11 @@
 #define TCR_TG0_4K		(0 << 14)
 #define TCR_TG0_64K		(1 << 14)
 #define TCR_TG0_16K		(2 << 14)
-#define TCR_EPD1_DISABLE	(1 << 23)
+#define TCR_EPD1_DISABLE	BIT(23)
 
-#define TCR_EL1_RSVD		(1 << 31)
-#define TCR_EL2_RSVD		(1 << 31 | 1 << 23)
-#define TCR_EL3_RSVD		(1 << 31 | 1 << 23)
+#define TCR_EL1_RSVD		BIT(31)
+#define TCR_EL2_RSVD		(BIT(31) | BIT(23))
+#define TCR_EL3_RSVD		(BIT(31) | BIT(23))
 
 #ifndef __ASSEMBLY__
 static inline void set_ttbr_tcr_mair(int el, u64 table, u64 tcr, u64 attr)
-- 
2.18.0

[U-Boot] [PATCH 3/8] armv8: mmu: Fix "left shift in type int" undefined behavior

[Tom Rini]

On Mon, Aug 20, 2018 at 02:00:27AM +0200, Eugeniu Rosca wrote:

> Fix the following UBSAN warnings:
> 
> ------8<-----
> CPU: Renesas Electronics R8A7795 rev 2.0
> Model: Renesas Salvator-X board based on r8a7795 ES2.0+
> ====================================================================
> UBSAN: Undefined behaviour in arch/arm/cpu/armv8/cache_v8.c:72:9
> left shift of 1 by 31 places cannot be represented in type 'int'
> ====================================================================
> ====================================================================
> UBSAN: Undefined behaviour in arch/arm/cpu/armv8/cache_v8.c:74:9
> left shift of 1 by 31 places cannot be represented in type 'int'
> ====================================================================
> ------8<-----
> 
> While at it, convert to BIT() macro all current "1 << X" shift
> constructs with X >= 15, which may lead to the same UB, if untreated.
> 
> Fixes: ad3d6e88a1a4 ("armv8/mmu: Set bits marked RES1 in TCR")
> Fixes: 9bb367a590fe ("arm64: Disable TTBR1 maps in EL1")
> Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
> ---
>  arch/arm/include/asm/armv8/mmu.h | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm/include/asm/armv8/mmu.h b/arch/arm/include/asm/armv8/mmu.h
> index 62d00d15c26d..b2ce13db0d2b 100644
> --- a/arch/arm/include/asm/armv8/mmu.h
> +++ b/arch/arm/include/asm/armv8/mmu.h
> @@ -94,11 +94,11 @@
>  #define TCR_TG0_4K		(0 << 14)
>  #define TCR_TG0_64K		(1 << 14)
>  #define TCR_TG0_16K		(2 << 14)
> -#define TCR_EPD1_DISABLE	(1 << 23)
> +#define TCR_EPD1_DISABLE	BIT(23)
>  
> -#define TCR_EL1_RSVD		(1 << 31)
> -#define TCR_EL2_RSVD		(1 << 31 | 1 << 23)
> -#define TCR_EL3_RSVD		(1 << 31 | 1 << 23)
> +#define TCR_EL1_RSVD		BIT(31)
> +#define TCR_EL2_RSVD		(BIT(31) | BIT(23))
> +#define TCR_EL3_RSVD		(BIT(31) | BIT(23))
>  
>  #ifndef __ASSEMBLY__
>  static inline void set_ttbr_tcr_mair(int el, u64 table, u64 tcr, u64 attr)

For consistency within the file, spell it out as 1UL ?  I don't like
mixing shifts and BITS in a file, and I really don't like being
inconsistent, so I'd also be OK with BIT() in all of the bits.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180819/269ecc04/attachment.sig>

[U-Boot] [PATCH 3/8] armv8: mmu: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Hi Tom,

On Sun, Aug 19, 2018 at 09:51:42PM -0400, Tom Rini wrote:
> On Mon, Aug 20, 2018 at 02:00:27AM +0200, Eugeniu Rosca wrote:
[..]
> > diff --git a/arch/arm/include/asm/armv8/mmu.h b/arch/arm/include/asm/armv8/mmu.h
> > index 62d00d15c26d..b2ce13db0d2b 100644
> > --- a/arch/arm/include/asm/armv8/mmu.h
> > +++ b/arch/arm/include/asm/armv8/mmu.h
> > @@ -94,11 +94,11 @@
> >  #define TCR_TG0_4K		(0 << 14)
> >  #define TCR_TG0_64K		(1 << 14)
> >  #define TCR_TG0_16K		(2 << 14)
> > -#define TCR_EPD1_DISABLE	(1 << 23)
> > +#define TCR_EPD1_DISABLE	BIT(23)
> >  
> > -#define TCR_EL1_RSVD		(1 << 31)
> > -#define TCR_EL2_RSVD		(1 << 31 | 1 << 23)
> > -#define TCR_EL3_RSVD		(1 << 31 | 1 << 23)
> > +#define TCR_EL1_RSVD		BIT(31)
> > +#define TCR_EL2_RSVD		(BIT(31) | BIT(23))
> > +#define TCR_EL3_RSVD		(BIT(31) | BIT(23))
> >  
> >  #ifndef __ASSEMBLY__
> >  static inline void set_ttbr_tcr_mair(int el, u64 table, u64 tcr, u64 attr)
> 
> For consistency within the file, spell it out as 1UL ?  I don't like
> mixing shifts and BITS in a file, and I really don't like being
> inconsistent, so I'd also be OK with BIT() in all of the bits.

I will use (1UL << i) in v2, unless there is some strong preference
to use BIT() macro. In the latter case, a simple definition like
(7 << N) will require conversion to (BIT(N+2) | BIT(N+1) | BIT(N)),
which looks more complicated to me.

> -- 
> Tom

Thanks,
Eugeniu.

[U-Boot] [PATCH 4/8] pinctrl: renesas: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Booting R-Car H3-Salvator-X (CONFIG_UBSAN=y) consistently results in:

=====================================================================
UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:402:40
left shift of 1 by 31 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:410:39
left shift of 1 by 31 places cannot be represented in type 'int'
=====================================================================

While fixing these warnings, convert *all* SH_PFC_PIN_CFG_* definitions
to use the recommended BIT() macro.

Fixes: 910df4d07e37 ("pinctrl: rmobile: Add Renesas RCar pincontrol driver")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/pinctrl/renesas/sh_pfc.h | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/pinctrl/renesas/sh_pfc.h b/drivers/pinctrl/renesas/sh_pfc.h
index b98c2f185d26..b58e52bbfbb9 100644
--- a/drivers/pinctrl/renesas/sh_pfc.h
+++ b/drivers/pinctrl/renesas/sh_pfc.h
@@ -21,13 +21,13 @@ enum {
 	PINMUX_TYPE_INPUT,
 };
 
-#define SH_PFC_PIN_CFG_INPUT		(1 << 0)
-#define SH_PFC_PIN_CFG_OUTPUT		(1 << 1)
-#define SH_PFC_PIN_CFG_PULL_UP		(1 << 2)
-#define SH_PFC_PIN_CFG_PULL_DOWN	(1 << 3)
-#define SH_PFC_PIN_CFG_IO_VOLTAGE	(1 << 4)
-#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	(1 << 5)
-#define SH_PFC_PIN_CFG_NO_GPIO		(1 << 31)
+#define SH_PFC_PIN_CFG_INPUT		BIT(0)
+#define SH_PFC_PIN_CFG_OUTPUT		BIT(1)
+#define SH_PFC_PIN_CFG_PULL_UP		BIT(2)
+#define SH_PFC_PIN_CFG_PULL_DOWN	BIT(3)
+#define SH_PFC_PIN_CFG_IO_VOLTAGE	BIT(4)
+#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	BIT(5)
+#define SH_PFC_PIN_CFG_NO_GPIO		BIT(31)
 
 struct sh_pfc_pin {
 	u16 pin;
-- 
2.18.0

[U-Boot] [PATCH 4/8] pinctrl: renesas: Fix "left shift in type int" undefined behavior

[Marek Vasut]

On 08/20/2018 02:00 AM, Eugeniu Rosca wrote:
> Booting R-Car H3-Salvator-X (CONFIG_UBSAN=y) consistently results in:
> 
> =====================================================================
> UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:402:40
> left shift of 1 by 31 places cannot be represented in type 'int'
> =====================================================================
> =====================================================================
> UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:410:39
> left shift of 1 by 31 places cannot be represented in type 'int'
> =====================================================================
> 
> While fixing these warnings, convert *all* SH_PFC_PIN_CFG_* definitions
> to use the recommended BIT() macro.
> 
> Fixes: 910df4d07e37 ("pinctrl: rmobile: Add Renesas RCar pincontrol driver")
> Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
> ---
>  drivers/pinctrl/renesas/sh_pfc.h | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/pinctrl/renesas/sh_pfc.h b/drivers/pinctrl/renesas/sh_pfc.h
> index b98c2f185d26..b58e52bbfbb9 100644
> --- a/drivers/pinctrl/renesas/sh_pfc.h
> +++ b/drivers/pinctrl/renesas/sh_pfc.h
> @@ -21,13 +21,13 @@ enum {
>  	PINMUX_TYPE_INPUT,
>  };
>  
> -#define SH_PFC_PIN_CFG_INPUT		(1 << 0)
> -#define SH_PFC_PIN_CFG_OUTPUT		(1 << 1)
> -#define SH_PFC_PIN_CFG_PULL_UP		(1 << 2)
> -#define SH_PFC_PIN_CFG_PULL_DOWN	(1 << 3)
> -#define SH_PFC_PIN_CFG_IO_VOLTAGE	(1 << 4)
> -#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	(1 << 5)
> -#define SH_PFC_PIN_CFG_NO_GPIO		(1 << 31)
> +#define SH_PFC_PIN_CFG_INPUT		BIT(0)
> +#define SH_PFC_PIN_CFG_OUTPUT		BIT(1)
> +#define SH_PFC_PIN_CFG_PULL_UP		BIT(2)
> +#define SH_PFC_PIN_CFG_PULL_DOWN	BIT(3)
> +#define SH_PFC_PIN_CFG_IO_VOLTAGE	BIT(4)
> +#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	BIT(5)
> +#define SH_PFC_PIN_CFG_NO_GPIO		BIT(31)

Might make sense to apply the same fix for Linux ?

Acked-by: Marek Vasut <marek.vasut@gmail.com>

-- 
Best regards,
Marek Vasut

[U-Boot] [PATCH 4/8] pinctrl: renesas: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Hi Marek,

On Mon, Aug 20, 2018 at 10:07:16AM +0200, Marek Vasut wrote:
> On 08/20/2018 02:00 AM, Eugeniu Rosca wrote:
> > Booting R-Car H3-Salvator-X (CONFIG_UBSAN=y) consistently results in:
> > 
> > =====================================================================
> > UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:402:40
> > left shift of 1 by 31 places cannot be represented in type 'int'
> > =====================================================================
> > =====================================================================
> > UBSAN: Undefined behaviour in drivers/pinctrl/renesas/pfc.c:410:39
> > left shift of 1 by 31 places cannot be represented in type 'int'
> > =====================================================================
> > 
> > While fixing these warnings, convert *all* SH_PFC_PIN_CFG_* definitions
> > to use the recommended BIT() macro.
> > 
> > Fixes: 910df4d07e37 ("pinctrl: rmobile: Add Renesas RCar pincontrol driver")
> > Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
> > ---
> >  drivers/pinctrl/renesas/sh_pfc.h | 14 +++++++-------
> >  1 file changed, 7 insertions(+), 7 deletions(-)
> > 
> > diff --git a/drivers/pinctrl/renesas/sh_pfc.h b/drivers/pinctrl/renesas/sh_pfc.h
> > index b98c2f185d26..b58e52bbfbb9 100644
> > --- a/drivers/pinctrl/renesas/sh_pfc.h
> > +++ b/drivers/pinctrl/renesas/sh_pfc.h
> > @@ -21,13 +21,13 @@ enum {
> >  	PINMUX_TYPE_INPUT,
> >  };
> >  
> > -#define SH_PFC_PIN_CFG_INPUT		(1 << 0)
> > -#define SH_PFC_PIN_CFG_OUTPUT		(1 << 1)
> > -#define SH_PFC_PIN_CFG_PULL_UP		(1 << 2)
> > -#define SH_PFC_PIN_CFG_PULL_DOWN	(1 << 3)
> > -#define SH_PFC_PIN_CFG_IO_VOLTAGE	(1 << 4)
> > -#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	(1 << 5)
> > -#define SH_PFC_PIN_CFG_NO_GPIO		(1 << 31)
> > +#define SH_PFC_PIN_CFG_INPUT		BIT(0)
> > +#define SH_PFC_PIN_CFG_OUTPUT		BIT(1)
> > +#define SH_PFC_PIN_CFG_PULL_UP		BIT(2)
> > +#define SH_PFC_PIN_CFG_PULL_DOWN	BIT(3)
> > +#define SH_PFC_PIN_CFG_IO_VOLTAGE	BIT(4)
> > +#define SH_PFC_PIN_CFG_DRIVE_STRENGTH	BIT(5)
> > +#define SH_PFC_PIN_CFG_NO_GPIO		BIT(31)
> 
> Might make sense to apply the same fix for Linux ?

Oddly enough, UBSAN doesn't complain about those shifts in the kernel.
I can only guess for the moment why this difference.

> 
> Acked-by: Marek Vasut <marek.vasut@gmail.com>
> 
> -- 
> Best regards,
> Marek Vasut

Best regards,
Eugeniu.

[U-Boot] [PATCH 5/8] net: phy: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Booting R-Car Gen3 arm64 U-Boot with CONFIG_UBSAN=y results in:

=====================================================================
UBSAN: Undefined behaviour in drivers/net/phy/phy.c:728:19
left shift of 1 by 31 places cannot be represented in type 'int'
=====================================================================

Fix it by appending the UL suffix to the numeric literal. While at it,
convert the type of "addr" variable from signed to unsigned int, to
protect against shifting the numeric literal by a negative value (which
would translate into a different type of undefined behavior).

Fixes: 1adb406b0141 ("phy: add phy_find_by_mask/phy_connect_dev")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/net/phy/phy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index e837eb7688cc..0a8df72a495f 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -719,13 +719,13 @@ static struct phy_device *search_for_existing_phy(struct mii_dev *bus,
 {
 	/* If we have one, return the existing device, with new interface */
 	while (phy_mask) {
-		int addr = ffs(phy_mask) - 1;
+		unsigned int addr = ffs(phy_mask) - 1;
 
 		if (bus->phymap[addr]) {
 			bus->phymap[addr]->interface = interface;
 			return bus->phymap[addr];
 		}
-		phy_mask &= ~(1 << addr);
+		phy_mask &= ~(1UL << addr);
 	}
 	return NULL;
 }
-- 
2.18.0

[U-Boot] [PATCH 6/8] net: ravb: Fix "left shift in type int" undefined behavior

[Eugeniu Rosca]

Running "tftp" on R-Car H3 Salvator-X with CONFIG_UBSAN=y results in:

=> tftp
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:237:28
left shift of 10 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:258:44
left shift of 9 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:263:46
left shift of 9 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:283:31
left shift of 9 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:288:49
left shift of 9 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:293:46
left shift of 9 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:345:2
left shift of 222 by 24 places cannot be represented in type 'int'
=====================================================================

Pinging the host results in:

=> ping 192.168.2.11
Using ethernet at e6800000 device
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:161:21
left shift of 15 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:182:25
left shift of 15 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:182:47
left shift of 12 by 28 places cannot be represented in type 'int'
=====================================================================
=====================================================================
UBSAN: Undefined behaviour in drivers/net/ravb.c:205:20
left shift of 12 by 28 places cannot be represented in type 'int'
=====================================================================
host 192.168.2.11 is alive

There are two issues behind:
 - calculating RAVB_DESC_DT_* bitfields
 - assembling MAC address from its char components

Fix both.

Fixes: 8ae51b6f324e ("net: ravb: Add Renesas Ethernet RAVB driver")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/net/ravb.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ravb.c b/drivers/net/ravb.c
index 749562db960e..5baff198889b 100644
--- a/drivers/net/ravb.c
+++ b/drivers/net/ravb.c
@@ -73,12 +73,12 @@
 #define RAVB_RX_QUEUE_OFFSET		4
 
 #define RAVB_DESC_DT(n)			((n) << 28)
-#define RAVB_DESC_DT_FSINGLE		RAVB_DESC_DT(0x7)
-#define RAVB_DESC_DT_LINKFIX		RAVB_DESC_DT(0x9)
-#define RAVB_DESC_DT_EOS		RAVB_DESC_DT(0xa)
-#define RAVB_DESC_DT_FEMPTY		RAVB_DESC_DT(0xc)
-#define RAVB_DESC_DT_EEMPTY		RAVB_DESC_DT(0x3)
-#define RAVB_DESC_DT_MASK		RAVB_DESC_DT(0xf)
+#define RAVB_DESC_DT_FSINGLE		RAVB_DESC_DT(0x7UL)
+#define RAVB_DESC_DT_LINKFIX		RAVB_DESC_DT(0x9UL)
+#define RAVB_DESC_DT_EOS		RAVB_DESC_DT(0xaUL)
+#define RAVB_DESC_DT_FEMPTY		RAVB_DESC_DT(0xcUL)
+#define RAVB_DESC_DT_EEMPTY		RAVB_DESC_DT(0x3UL)
+#define RAVB_DESC_DT_MASK		RAVB_DESC_DT(0xfUL)
 
 #define RAVB_DESC_DS(n)			(((n) & 0xfff) << 0)
 #define RAVB_DESC_DS_MASK		0xfff
@@ -342,8 +342,8 @@ static int ravb_write_hwaddr(struct udevice *dev)
 	struct eth_pdata *pdata = dev_get_platdata(dev);
 	unsigned char *mac = pdata->enetaddr;
 
-	writel((mac[0] << 24) | (mac[1] << 16) | (mac[2] << 8) | mac[3],
-	       eth->iobase + RAVB_REG_MAHR);
+	writel(((u32)mac[0] << 24) | ((u32)mac[1] << 16) | ((u32)mac[2] << 8) |
+	       mac[3], eth->iobase + RAVB_REG_MAHR);
 
 	writel((mac[4] << 8) | mac[5], eth->iobase + RAVB_REG_MALR);
 
-- 
2.18.0

[U-Boot] [PATCH 6/8] net: ravb: Fix "left shift in type int" undefined behavior

[Marek Vasut]

On 08/20/2018 02:00 AM, Eugeniu Rosca wrote:
> Running "tftp" on R-Car H3 Salvator-X with CONFIG_UBSAN=y results in:
> 
[...]
>
> =====================================================================
> UBSAN: Undefined behaviour in drivers/net/ravb.c:205:20
> left shift of 12 by 28 places cannot be represented in type 'int'
> =====================================================================
> host 192.168.2.11 is alive
> 
> There are two issues behind:
>  - calculating RAVB_DESC_DT_* bitfields
>  - assembling MAC address from its char components
> 
> Fix both.

Nice

Acked-by: Marek Vasut <marek.vasut@gmail.com>

btw sh_eth.c might have similar issue .

> Fixes: 8ae51b6f324e ("net: ravb: Add Renesas Ethernet RAVB driver")
> Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
[...]
-- 
Best regards,
Marek Vasut

[U-Boot] [PATCH 7/8] mmc: Fix read-past-end-of-array undefined behavior

[Eugeniu Rosca]

Running "mmc dev 0" on R-Car H3 Salvator-X (CONFIG_UBSAN=y) occasionally
results in:

=> mmc dev 0
=================================================================
UBSAN: Undefined behaviour in drivers/mmc/mmc.c:2233:14
index 7 is out of range for type 'int [4]'
=================================================================

Currently, fbase[] array consists of 4 elements:
-------8<-------
static const int fbase[] = {
        10000,
        100000,
        1000000,
        10000000,
};
-------8<-------

Adjust the mask used to compute the fbase[] index accordingly.

Fixes: 272cc70b211e ("Add MMC Framework")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/mmc/mmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
index 447519f46f15..01da99edb084 100644
--- a/drivers/mmc/mmc.c
+++ b/drivers/mmc/mmc.c
@@ -2230,7 +2230,7 @@ static int mmc_startup(struct mmc *mmc)
 	}
 
 	/* divide frequency by 10, since the mults are 10x bigger */
-	freq = fbase[(cmd.response[0] & 0x7)];
+	freq = fbase[(cmd.response[0] & 0x3)];
 	mult = multipliers[((cmd.response[0] >> 3) & 0xf)];
 
 	mmc->legacy_speed = freq * mult;
-- 
2.18.0

[U-Boot] [PATCH 8/8] hashtable: Fix zero-sized array undefined behavior

[Eugeniu Rosca]

Enabling CONFIG_UBSAN=y, below runtime warning occurs both in sandbox
and R-Car H3 Salvator-X U-Boot:

=====================================================================
UBSAN: Undefined behaviour in lib/hashtable.c:784:8
variable length array bound value 0 <= 0
=====================================================================

It has a slightly different wording when compiling sandbox U-Boot
with "gcc-8 -fsanitize=undefined -lubsan":

-----8<-----
lib/hashtable.c:784:8: runtime error: \
  variable length array bound evaluates to non-positive value 0
-----8<-----

Fix the error by making sure that localvars[] can't take a negative or
zero size.

Fixes: d5370febbcbc ("env: delete selected vars not present in imported env")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 include/search.h | 2 +-
 lib/hashtable.c  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/search.h b/include/search.h
index 5d07b49073cc..417dacdb4482 100644
--- a/include/search.h
+++ b/include/search.h
@@ -99,7 +99,7 @@ extern ssize_t hexport_r(struct hsearch_data *__htab,
  */
 extern int himport_r(struct hsearch_data *__htab,
 		     const char *__env, size_t __size, const char __sep,
-		     int __flag, int __crlf_is_lf, int nvars,
+		     int __flag, int __crlf_is_lf, unsigned int nvars,
 		     char * const vars[]);
 
 /* Walk the whole table calling the callback on each element */
diff --git a/lib/hashtable.c b/lib/hashtable.c
index 1c48692b69ed..f35d2022f630 100644
--- a/lib/hashtable.c
+++ b/lib/hashtable.c
@@ -778,10 +778,10 @@ static int drop_var_from_set(const char *name, int nvars, char * vars[])
 
 int himport_r(struct hsearch_data *htab,
 		const char *env, size_t size, const char sep, int flag,
-		int crlf_is_lf, int nvars, char * const vars[])
+		int crlf_is_lf, unsigned int nvars, char * const vars[])
 {
 	char *data, *sp, *dp, *name, *value;
-	char *localvars[nvars];
+	char *localvars[nvars + 1];
 	int i;
 
 	/* Test for correct arguments.  */
-- 
2.18.0

[U-Boot] [PATCH 8/8] hashtable: Fix zero-sized array undefined behavior

[Tom Rini]

On Mon, Aug 20, 2018 at 02:00:32AM +0200, Eugeniu Rosca wrote:

> Enabling CONFIG_UBSAN=y, below runtime warning occurs both in sandbox
> and R-Car H3 Salvator-X U-Boot:
> 
> =====================================================================
> UBSAN: Undefined behaviour in lib/hashtable.c:784:8
> variable length array bound value 0 <= 0
> =====================================================================
> 
> It has a slightly different wording when compiling sandbox U-Boot
> with "gcc-8 -fsanitize=undefined -lubsan":
> 

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180819/13a9dae3/attachment.sig>

[U-Boot] [PATCH 0/8] Import Undefined Behavior Sanitizer

[Tom Rini]

On Mon, Aug 20, 2018 at 02:00:24AM +0200, Eugeniu Rosca wrote:

> While certain classes of bugs (e.g. locking related) are totally
> irrelevant for U-Boot, undefined behavior is something U-Boot may
> experience all over the place and this certainly can lead to hidden
> and difficult to debug issues.
> 
> As of v4.18, Linux kernel contains roughly 119 UBSAN fixes [1]. Hence
> the sanity checker has been quite a productive and useful tool to play
> with during development.
> 
> Thanks to UBSAN, this series proposes 7 (+1 in [2]) UB fixes, revealed
> by a simple cold boot of sandbox and arm64 R-Car Gen3 U-Boot. There
> could be more issues in arch/platform/board-specific code, whose
> reproduction needs specific hardware.
> 
> A certain class of UBs [3] is reported regularly at runtime and looks
> to be related to the implementation of U-Boot linker-generated arrays.
> I believe some feedback from the authors/maintainers of those is
> required to assess if this is a UBSAN false positive or a real bug.
> 
> This series collects the low-hanging fruit and leaves others to
> experiment with UBSAN themselves.

Thanks for doing this, and I am totally behind the idea.  Further, given
the QEMU-based setups we have available it could be interesting to run
some of them those as well (and further the list of places this could be
run on).  That said, I have some specific patch feedback to follow.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180819/1566c6b5/attachment.sig>