From: Alexander Popov Date: Sun, 1 Sep 2024 10:40:16 +0000 (+0300) Subject: Update the UBSAN_SANITIZE_ALL kconfig check X-Git-Tag: v0.6.10~15 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=d32dab11a0c3cae9b52454d43ec8a08deacca07f;p=kconfig-hardened-check.git Update the UBSAN_SANITIZE_ALL kconfig check It was enabled by default in UBSAN and removed in the commit 918327e9b7ffb45321cbb4b9b86b58ec555fe6b3 in Linux v6.9. --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 0cc9e58..49019e0 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -221,8 +221,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps - l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), - ubsan_bounds_is_set)] + l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), + AND(ubsan_bounds_is_set, + VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9 if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [AND(stackleak_is_set,