From: Alexander Popov <alex.popov@linux.com>
Date: Sat, 24 Sep 2022 21:51:25 +0000 (+0300)
Subject: Add the UBSAN_LOCAL_BOUNDS check for Clang build
X-Git-Tag: v0.6.1~91
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=f958a9d7254b01ceb31e97e0c02ab098312214dc;hp=a4e54de7ae6c5312e1b99821c666a487067e8e07;p=kconfig-hardened-check.git

Add the UBSAN_LOCAL_BOUNDS check for Clang build

Explanations from the Linux kernel commit 6a6155f664e31c9be43cd:

When the kernel is compiled with Clang, -fsanitize=bounds expands to
-fsanitize=array-bounds and -fsanitize=local-bounds.

Enabling -fsanitize=local-bounds with Clang has the side-effect of
inserting traps.

That's why UBSAN_LOCAL_BOUNDS can enable the 'local-bounds' option
only when UBSAN_TRAP is enabled.
---

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 2cbcfa5..de74084 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -505,6 +505,9 @@ def add_kconfig_checks(l, arch):
     # 'self_protection', 'my'
     l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'),
              efi_not_set)] # needs userspace support (systemd)
+    l += [OR(KconfigCheck('self_protection', 'my', 'UBSAN_LOCAL_BOUNDS', 'y'),
+             AND(ubsan_bounds_is_set,
+                 cc_is_gcc))]
     if arch == 'X86_64':
         l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
         l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),