From f958a9d7254b01ceb31e97e0c02ab098312214dc Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 25 Sep 2022 00:51:25 +0300 Subject: [PATCH] Add the UBSAN_LOCAL_BOUNDS check for Clang build Explanations from the Linux kernel commit 6a6155f664e31c9be43cd: When the kernel is compiled with Clang, -fsanitize=bounds expands to -fsanitize=array-bounds and -fsanitize=local-bounds. Enabling -fsanitize=local-bounds with Clang has the side-effect of inserting traps. That's why UBSAN_LOCAL_BOUNDS can enable the 'local-bounds' option only when UBSAN_TRAP is enabled. --- kconfig_hardened_check/__init__.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 2cbcfa5..de74084 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -505,6 +505,9 @@ def add_kconfig_checks(l, arch): # 'self_protection', 'my' l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'), efi_not_set)] # needs userspace support (systemd) + l += [OR(KconfigCheck('self_protection', 'my', 'UBSAN_LOCAL_BOUNDS', 'y'), + AND(ubsan_bounds_is_set, + cc_is_gcc))] if arch == 'X86_64': l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), -- 2.31.1