Update the UBSAN_SANITIZE_ALL kconfig check

author Alexander Popov <alex.popov@linux.com>

Sun, 1 Sep 2024 10:40:16 +0000 (13:40 +0300)

committer Alexander Popov <alex.popov@linux.com>

Sun, 1 Sep 2024 11:00:57 +0000 (14:00 +0300)
author Alexander Popov <alex.popov@linux.com>
Sun, 1 Sep 2024 10:40:16 +0000 (13:40 +0300)
committer Alexander Popov <alex.popov@linux.com>
Sun, 1 Sep 2024 11:00:57 +0000 (14:00 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index 0cc9e58dc02abfd821310b6d7d5f1e7684687754..49019e0b01b029d948e7525048bcb1dcbf6e4ab7 100755 (executable)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -221,8 +221,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
                KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'),
                KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'),
                KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps
-    l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
-              ubsan_bounds_is_set)]
+    l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
+             AND(ubsan_bounds_is_set,
+                 VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9
      if arch in ('X86_64', 'ARM64', 'X86_32'):
          stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
          l += [AND(stackleak_is_set,
author	Alexander Popov <alex.popov@linux.com>
	Sun, 1 Sep 2024 10:40:16 +0000 (13:40 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Sun, 1 Sep 2024 11:00:57 +0000 (14:00 +0300)