Page sanitization improvements

This ensures init_on_alloc/free is used instead of page poisioning where available.

3.4 through 3.18 have a patch without a toggle for page sanitization.

Signed-off-by: Tad <tad@spotco.us>

Scripts/Common/Functions.sh

@@ -540,6 +540,7 @@ hardenBootArgs() {
 export -f hardenBootArgs;
 
 enableAutoVarInit() {
+	DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero
 	cd "$DOS_BUILD_BASE";
 	echo "auto-var-init: Starting!";
 	for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}"
@@ -567,8 +568,8 @@ enableAutoVarInit() {
 			else
 				echo "auto-var-init: Could not enable for $kernel";
 			fi;
-		else
-			echo "auto-var-init: $kernel not in tree";
+#		else
+#			echo "auto-var-init: $kernel not in tree";
 		fi;
 	done;
 	echo "auto-var-init: Finished!";
@@ -799,7 +800,8 @@ hardenDefconfig() {
 	optionsYes+=("IO_STRICT_DEVMEM");
 
 	#Linux 4.6
-	optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ENABLE_DEFAULT" "PAGE_POISONING_NO_SANITY");
+	optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO");
+	#Disabled: PAGE_POISONING_NO_SANITY
 
 	#Linux 4.7
 	optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
@@ -834,18 +836,12 @@ hardenDefconfig() {
 	#Linux 4.18
 	optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
 
-	#Linux 4.19
-	optionsYes+=("PAGE_POISONING_ZERO");
-
 	#Linux 5.0
 	optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
 
 	#Linux 5.2
 	optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
 
-	#Linux 5.3
-	optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
-
 	#Linux 5.8
 	optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
 
@@ -862,7 +858,7 @@ hardenDefconfig() {
 	#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
 
 	#GrapheneOS Patches
-	optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
+	optionsYes+=("SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
 	#Disabled: SLAB_CANARY (breakage?)
 
 	#out of tree or renamed or removed ?
@@ -874,6 +870,28 @@ hardenDefconfig() {
 	#Hardware enablement #XXX: This needs a better home
 	optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
 
+	modernKernels=('google/coral' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'xiaomi/sm8150' 'xiaomi/sm8250');
+	for kernelModern in "${modernKernels[@]}"; do
+		if [[ "$1" == *"/$kernelModern"* ]]; then
+			optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "PAGE_SANITIZE_VERIFY");
+			#TODO: also disable slub_debug=P for these devices
+		fi;
+	done;
+
+	oldKernels=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996');
+	for kernelOld in "${oldKernels[@]}"; do
+		if [[ "$1" == *"/$kernelOld"* ]]; then
+			optionsYes+=("PAGE_POISONING_ENABLE_DEFAULT");
+		fi;
+	done;
+
+	weirdKernels=('google/wahoo');
+	for kernelWeird in "${weirdKernels[@]}"; do
+		if [[ "$1" == *"/$kernelWeird"* ]]; then
+			optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY");
+		fi;
+	done;
+
 	for option in "${optionsYes[@]}"
 	do
 		#If the option is disabled, enable it

Scripts/LineageOS-14.1/Patch.sh

@@ -411,8 +411,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";
-deblobAudio;
-removeBuildFingerprints;
+deblobAudio || true;
+removeBuildFingerprints || true;
 
 #Tweaks for <2GB RAM devices
 enableLowRam "device/asus/grouper";

Scripts/LineageOS-15.1/Patch.sh

@@ -332,8 +332,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 cd "$DOS_BUILD_BASE";
-deblobAudio;
-removeBuildFingerprints;
+deblobAudio || true;
+removeBuildFingerprints || true;
 
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile

Scripts/LineageOS-16.0/Patch.sh

@@ -403,8 +403,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
 cd "$DOS_BUILD_BASE";
-deblobAudio;
-removeBuildFingerprints;
+deblobAudio || true;
+removeBuildFingerprints || true;
 
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/asus/msm8953/arch/arm64/configs/*_defconfig; #Breaks on compile

Scripts/LineageOS-17.1/Patch.sh

@@ -484,9 +484,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
 cd "$DOS_BUILD_BASE";
-deblobAudio;
-removeBuildFingerprints;
-enableAutoVarInit;
+deblobAudio || true;
+removeBuildFingerprints || true;
+enableAutoVarInit || true;
 
 #Tweaks for <2GB RAM devices
 #enableLowRam "device/motorola/harpia";

Scripts/LineageOS-18.1/Patch.sh

@@ -573,9 +573,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"';
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi;
 cd "$DOS_BUILD_BASE";
-deblobAudio;
-removeBuildFingerprints;
-enableAutoVarInit;
+deblobAudio || true;
+removeBuildFingerprints || true;
+enableAutoVarInit || true;
 
 #Tweaks for <2GB RAM devices
 #enableLowRam "device/samsung/serrano3gxx";

Scripts/init.sh

@@ -78,7 +78,6 @@ export DOS_SENSORS_PERM_NEW=true;
 export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
 export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository
 #alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2';
-export DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero
 
 #Servers
 export DOS_DEFAULT_DNS_PRESET="Quad9"; #Sets default DNS. Options: See changeDefaultDNS() in Scripts/Common/Functions.sh