diff mbox series

[4/4] UBUNTU: [Config] Enable CONFIG_UBSAN_BOUNDS

Message ID 20210820071002.3560053-5-keescook@chromium.org
State New
Headers show
Series Various config tweaks | expand

Commit Message

Kees Cook Aug. 20, 2021, 7:10 a.m. UTC 
From: Kees Cook <kees@ubuntu.com>

This enables run-time array index bounds checking for arrays with
compile-time known sizes. This catches some potentially serious issues
at run-time with nearly zero performance impact. Syzkaller is still
catching bugs with this. (See "array-index-out-of-bounds" reports at
https://syzkaller.appspot.com/upstream)

Using UBSAN_TRAP=y has nearly no impact on image size, though it makes
caught conditions much less verbose.

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1914685

Signed-off-by: Kees Cook <kees@ubuntu.com>
---
 debian.master/config/annotations          | 12 +++++++++++-
 debian.master/config/config.common.ubuntu | 12 +++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 0c2d17076442..40f7743daf91 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11409,7 +11409,17 @@  CONFIG_KDB_KEYBOARD                             policy<{'amd64': 'y', 'arm64': '
 CONFIG_KDB_CONTINUE_CATASTROPHIC                policy<{'amd64': '0', 'arm64': '0', 'armhf': '0', 'ppc64el': '0'}>
 
 # Menu: Kernel hacking >> Generic Kernel Debugging Instruments >> Undefined behaviour sanity checker
-CONFIG_UBSAN                                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_UBSAN                                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_TRAP                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_BOUNDS                             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_SHIFT                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_DIV_ZERO                           policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_UNREACHABLE                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_OBJECT_SIZE                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_BOOL                               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_ENUM                               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_ALIGNMENT                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_SANITIZE_ALL                       policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 
 # Menu: Kernel hacking >> Kernel Testing and Coverage
 CONFIG_MEMTEST                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 8bbd7d7a8d1d..e9396bd41b81 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -11219,7 +11219,17 @@  CONFIG_UBIFS_FS_SECURITY=y
 CONFIG_UBIFS_FS_XATTR=y
 CONFIG_UBIFS_FS_ZLIB=y
 CONFIG_UBIFS_FS_ZSTD=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_OBJECT_SIZE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
 CONFIG_UBUNTU_HOST=m
 CONFIG_UBUNTU_ODM_DRIVERS=y
 CONFIG_UCB1400_CORE=m