Fix UBSAN_BOUNDS recommendations

author Alexander Popov <alex.popov@linux.com>

Tue, 21 Sep 2021 18:19:51 +0000 (21:19 +0300)

committer Alexander Popov <alex.popov@linux.com>

Tue, 21 Sep 2021 18:24:16 +0000 (21:24 +0300)
author Alexander Popov <alex.popov@linux.com>
Tue, 21 Sep 2021 18:19:51 +0000 (21:19 +0300)
committer Alexander Popov <alex.popov@linux.com>
Tue, 21 Sep 2021 18:24:16 +0000 (21:24 +0300)
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py

index 0a0014fdc1d36734c2f6d395401e84272267b7e2..148c3881fa3ad4258ac3ccc599df0c693195c2a7 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -419,10 +419,15 @@ def construct_checklist(l, arch):
          l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'),
                    iommu_support_is_set)]
  
+    # 'self_protection', 'maintainer'
+    ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking
+    l += [ubsan_bounds_is_set]
+    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'),
+              ubsan_bounds_is_set)]
+    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'),
+              ubsan_bounds_is_set)]
+
      # 'self_protection', 'my'
-    l += [AND(OptCheck('self_protection', 'my', 'UBSAN_BOUNDS', 'y'),
-              OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'),
-              OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))]
      l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
      if arch == 'X86_64':
          l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
author	Alexander Popov <alex.popov@linux.com>
	Tue, 21 Sep 2021 18:19:51 +0000 (21:19 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Tue, 21 Sep 2021 18:24:16 +0000 (21:24 +0300)