[2/8] UBUNTU: [Config] Enable linked list manipulation checks
diff mbox series

Message ID 20200119131029.23160-3-tyhicks@canonical.com
State New
Headers show
Series
  • Kernel hardening config changes
Related show

Commit Message

Tyler Hicks Jan. 19, 2020, 1:10 p.m. UTC
BugLink: https://launchpad.net/bugs/1855334

Turn on CONFIG_DEBUG_LIST which does some sanity checking on the
surrounding linked list elements when adding or removing an element. If
the sanity check fails, the list manipulation operation is not performed
and a loud warning is printed to the logs.

This may prevent some exploits that involve manipulating a linked list.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 debian.master/config/annotations          | 3 ++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

Patch
diff mbox series

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index a14064062df2..c8781797bfe8 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -10621,7 +10621,7 @@  CONFIG_SCHED_STACK_END_CHECK                    policy<{'amd64': 'y', 'arm64': '
 CONFIG_DEBUG_PREEMPT                            policy<{'amd64-lowlatency': 'n', 'i386-lowlatency': 'n'}>
 CONFIG_DEBUG_KOBJECT                            policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_DEBUG_BUGVERBOSE                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_DEBUG_LIST                               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_DEBUG_LIST                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_DEBUG_PLIST                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_DEBUG_SG                                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_DEBUG_NOTIFIERS                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
@@ -10631,6 +10631,7 @@  CONFIG_DEBUG_BLOCK_EXT_DEVT                     policy<{'amd64': 'n', 'arm64': '
 CONFIG_CPU_HOTPLUG_STATE_CONTROL                policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_LATENCYTOP                               policy<{'amd64-generic': 'n', 'amd64-lowlatency': 'y', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 #
+CONFIG_DEBUG_LIST                               mark<ENFORCED> note<LP:1855334>
 CONFIG_LATENCYTOP                               mark<ENFORCED> note<https://lists.ubuntu.com/archives/kernel-team/2014-July/045006.html, LP#1655986>
 
 # Menu: Kernel hacking >> Kernel debugging >> Architecture: arm
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 4aace08c2bfa..b0b3b98cfa6f 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2323,7 +2323,7 @@  CONFIG_DEBUG_KERNEL=y
 # CONFIG_DEBUG_KERNEL_DC is not set
 # CONFIG_DEBUG_KMEMLEAK is not set
 # CONFIG_DEBUG_KOBJECT is not set
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
 # CONFIG_DEBUG_LL is not set
 CONFIG_DEBUG_LL_INCLUDE="mach/debug-macro.S"
 # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set