[ubuntu-hardened] [PATCH 4/4] UBUNTU: [Config] Enable CONFIG_UBSAN_BOUNDS
Kees Cook
keescook at chromium.org
Fri Aug 20 07:10:02 UTC 2021
From: Kees Cook <kees at ubuntu.com>
This enables run-time array index bounds checking for arrays with
compile-time known sizes. This catches some potentially serious issues
at run-time with nearly zero performance impact. Syzkaller is still
catching bugs with this. (See "array-index-out-of-bounds" reports at
https://syzkaller.appspot.com/upstream)
Using UBSAN_TRAP=y has nearly no impact on image size, though it makes
caught conditions much less verbose.
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1914685
Signed-off-by: Kees Cook <kees at ubuntu.com>
---
debian.master/config/annotations | 12 +++++++++++-
debian.master/config/config.common.ubuntu | 12 +++++++++++-
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 0c2d17076442..40f7743daf91 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11409,7 +11409,17 @@ CONFIG_KDB_KEYBOARD policy<{'amd64': 'y', 'arm64': '
CONFIG_KDB_CONTINUE_CATASTROPHIC policy<{'amd64': '0', 'arm64': '0', 'armhf': '0', 'ppc64el': '0'}>
# Menu: Kernel hacking >> Generic Kernel Debugging Instruments >> Undefined behaviour sanity checker
-CONFIG_UBSAN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_UBSAN policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_TRAP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_BOUNDS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_UBSAN_SHIFT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_DIV_ZERO policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_UNREACHABLE policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_OBJECT_SIZE policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_BOOL policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_ENUM policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_ALIGNMENT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n'}>
+CONFIG_UBSAN_SANITIZE_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
# Menu: Kernel hacking >> Kernel Testing and Coverage
CONFIG_MEMTEST policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 8bbd7d7a8d1d..e9396bd41b81 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -11219,7 +11219,17 @@ CONFIG_UBIFS_FS_SECURITY=y
CONFIG_UBIFS_FS_XATTR=y
CONFIG_UBIFS_FS_ZLIB=y
CONFIG_UBIFS_FS_ZSTD=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_OBJECT_SIZE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
CONFIG_UBUNTU_HOST=m
CONFIG_UBUNTU_ODM_DRIVERS=y
CONFIG_UCB1400_CORE=m
--
2.30.2
More information about the ubuntu-hardened
mailing list