Add the comments: CC_IS_GCC and CC_IS_CLANG exist since v4.18

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 2cbcfa5e8197f592c7ad005aea65244d1504f56b..218e8fd7d8504ca08aa664edf8994a1e4a05e7e3 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -332,8 +332,8 @@ def add_kconfig_checks(l, arch):
     #     when the tool doesn't check the cmdline.
 
     efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
-    cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y')
-    cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y')
+    cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
+    cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
 
     modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
     devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
@@ -505,6 +505,9 @@ def add_kconfig_checks(l, arch):
     # 'self_protection', 'my'
     l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'),
              efi_not_set)] # needs userspace support (systemd)
+    l += [OR(KconfigCheck('self_protection', 'my', 'UBSAN_LOCAL_BOUNDS', 'y'),
+             AND(ubsan_bounds_is_set,
+                 cc_is_gcc))]
     if arch == 'X86_64':
         l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
         l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),