From d32dab11a0c3cae9b52454d43ec8a08deacca07f Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 1 Sep 2024 13:40:16 +0300
Subject: [PATCH] Update the UBSAN_SANITIZE_ALL kconfig check

It was enabled by default in UBSAN and removed in the commit
918327e9b7ffb45321cbb4b9b86b58ec555fe6b3 in Linux v6.9.
---
 kernel_hardening_checker/checks.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 0cc9e58..49019e0 100755
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -221,8 +221,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
               KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'),
               KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'),
               KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps
-    l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
-              ubsan_bounds_is_set)]
+    l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
+             AND(ubsan_bounds_is_set,
+                 VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [AND(stackleak_is_set,
-- 
2.31.1