[PATCH 3/4] UBUNTU: [Config] Disable CONFIG_HARDENED_USERCOPY_FALLBACK

Kees Cook keescook at chromium.org
Fri Aug 20 07:10:01 UTC 2021 

From: Kees Cook <kees at ubuntu.com>

CONFIG_HARDENED_USERCOPY_FALLBACK was designed to catch old out of tree
drivers doing bad things with CONFIG_HARDENED_USERCOPY, and weakens the
protection. It's been several years now; it's time to turn this off.

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855340

Signed-off-by: Kees Cook <kees at ubuntu.com>
---
 debian.master/config/annotations          | 2 +-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 0092f241d013..0c2d17076442 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -13578,7 +13578,7 @@ CONFIG_SECURITYFS                               policy<{'amd64': 'y', 'arm64': '
 CONFIG_PAGE_TABLE_ISOLATION                     policy<{'amd64': 'y'}>
 CONFIG_INTEL_TXT                                policy<{'amd64': 'y'}>
 CONFIG_HARDENED_USERCOPY                        policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_HARDENED_USERCOPY_FALLBACK               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_HARDENED_USERCOPY_FALLBACK               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_HARDENED_USERCOPY_PAGESPAN               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_FORTIFY_SOURCE                           policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_STATIC_USERMODEHELPER                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 5af18fe4b2d5..8bbd7d7a8d1d 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -4019,7 +4019,7 @@ CONFIG_HANDLE_DOMAIN_IRQ=y
 CONFIG_HANGCHECK_TIMER=m
 CONFIG_HAPPYMEAL=m
 CONFIG_HARDENED_USERCOPY=y
-CONFIG_HARDENED_USERCOPY_FALLBACK=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_HARDEN_BRANCH_PREDICTOR=y
 CONFIG_HARDIRQS_SW_RESEND=y
-- 
2.30.2

More information about the kernel-team mailing list