From d32dab11a0c3cae9b52454d43ec8a08deacca07f Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 1 Sep 2024 13:40:16 +0300 Subject: [PATCH] Update the UBSAN_SANITIZE_ALL kconfig check It was enabled by default in UBSAN and removed in the commit 918327e9b7ffb45321cbb4b9b86b58ec555fe6b3 in Linux v6.9. --- kernel_hardening_checker/checks.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 0cc9e58..49019e0 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -221,8 +221,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps - l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), - ubsan_bounds_is_set)] + l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), + AND(ubsan_bounds_is_set, + VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9 if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [AND(stackleak_is_set, -- 2.31.1