From 6c5a65622c09b0cca075d48ed163c2cbc4cf6d02 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 2 Apr 2022 02:18:30 -0400 Subject: [PATCH] Page sanitization improvements This ensures init_on_alloc/free is used instead of page poisioning where available. 3.4 through 3.18 have a patch without a toggle for page sanitization. Signed-off-by: Tad --- Scripts/Common/Functions.sh | 38 ++++++++++++++++++++++++--------- Scripts/LineageOS-14.1/Patch.sh | 4 ++-- Scripts/LineageOS-15.1/Patch.sh | 4 ++-- Scripts/LineageOS-16.0/Patch.sh | 4 ++-- Scripts/LineageOS-17.1/Patch.sh | 6 +++--- Scripts/LineageOS-18.1/Patch.sh | 6 +++--- Scripts/init.sh | 1 - 7 files changed, 40 insertions(+), 23 deletions(-) diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index 50b2cd88..607ea908 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -540,6 +540,7 @@ hardenBootArgs() { export -f hardenBootArgs; enableAutoVarInit() { + DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero cd "$DOS_BUILD_BASE"; echo "auto-var-init: Starting!"; for kernel in "${DOS_AUTOVARINIT_KERNELS[@]}" @@ -567,8 +568,8 @@ enableAutoVarInit() { else echo "auto-var-init: Could not enable for $kernel"; fi; - else - echo "auto-var-init: $kernel not in tree"; +# else +# echo "auto-var-init: $kernel not in tree"; fi; done; echo "auto-var-init: Finished!"; @@ -799,7 +800,8 @@ hardenDefconfig() { optionsYes+=("IO_STRICT_DEVMEM"); #Linux 4.6 - optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ENABLE_DEFAULT" "PAGE_POISONING_NO_SANITY"); + optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_ZERO"); + #Disabled: PAGE_POISONING_NO_SANITY #Linux 4.7 optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM"); @@ -834,18 +836,12 @@ hardenDefconfig() { #Linux 4.18 optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG"); - #Linux 4.19 - optionsYes+=("PAGE_POISONING_ZERO"); - #Linux 5.0 optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK"); #Linux 5.2 optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR"); - #Linux 5.3 - optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON"); - #Linux 5.8 optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX"); @@ -862,7 +858,7 @@ hardenDefconfig() { #optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL"); #GrapheneOS Patches - optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY"); + optionsYes+=("SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY"); #Disabled: SLAB_CANARY (breakage?) #out of tree or renamed or removed ? @@ -874,6 +870,28 @@ hardenDefconfig() { #Hardware enablement #XXX: This needs a better home optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); + modernKernels=('google/coral' 'google/redbull' 'google/sunfish' 'oneplus/sm8150' 'xiaomi/sm8150' 'xiaomi/sm8250'); + for kernelModern in "${modernKernels[@]}"; do + if [[ "$1" == *"/$kernelModern"* ]]; then + optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "PAGE_SANITIZE_VERIFY"); + #TODO: also disable slub_debug=P for these devices + fi; + done; + + oldKernels=('essential/msm8998' 'fairphone/sdm632' 'fxtec/msm8998' 'google/msm-4.9' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'yandex/sdm660' 'zuk/msm8996'); + for kernelOld in "${oldKernels[@]}"; do + if [[ "$1" == *"/$kernelOld"* ]]; then + optionsYes+=("PAGE_POISONING_ENABLE_DEFAULT"); + fi; + done; + + weirdKernels=('google/wahoo'); + for kernelWeird in "${weirdKernels[@]}"; do + if [[ "$1" == *"/$kernelWeird"* ]]; then + optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY"); + fi; + done; + for option in "${optionsYes[@]}" do #If the option is disabled, enable it diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 59b749ba..363dddd2 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -411,8 +411,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; cd "$DOS_BUILD_BASE"; -deblobAudio; -removeBuildFingerprints; +deblobAudio || true; +removeBuildFingerprints || true; #Tweaks for <2GB RAM devices enableLowRam "device/asus/grouper"; diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 3ab33fdd..0723b7ae 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -332,8 +332,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; cd "$DOS_BUILD_BASE"; -deblobAudio; -removeBuildFingerprints; +deblobAudio || true; +removeBuildFingerprints || true; #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 056ae6ab..cf6c8342 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -403,8 +403,8 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; cd "$DOS_BUILD_BASE"; -deblobAudio; -removeBuildFingerprints; +deblobAudio || true; +removeBuildFingerprints || true; #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/asus/msm8953/arch/arm64/configs/*_defconfig; #Breaks on compile diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index f27802db..ee71b0d3 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -484,9 +484,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"'; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; cd "$DOS_BUILD_BASE"; -deblobAudio; -removeBuildFingerprints; -enableAutoVarInit; +deblobAudio || true; +removeBuildFingerprints || true; +enableAutoVarInit || true; #Tweaks for <2GB RAM devices #enableLowRam "device/motorola/harpia"; diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 8026d0d4..161f9442 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -573,9 +573,9 @@ find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableAPEX "{}"'; if [ "$DOS_GRAPHENE_EXEC" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'disableEnforceRRO "{}"'; fi; cd "$DOS_BUILD_BASE"; -deblobAudio; -removeBuildFingerprints; -enableAutoVarInit; +deblobAudio || true; +removeBuildFingerprints || true; +enableAutoVarInit || true; #Tweaks for <2GB RAM devices #enableLowRam "device/samsung/serrano3gxx"; diff --git a/Scripts/init.sh b/Scripts/init.sh index 9d7eca64..0f74b141 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -78,7 +78,6 @@ export DOS_SENSORS_PERM_NEW=true; export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS! export DOS_WEBVIEW_LFS=true; #Whether to `git lfs pull` in the WebView repository #alias DOS_WEBVIEW_CHERRYPICK='git pull "https://github.com/LineageOS/android_external_chromium-webview" refs/changes/00/316600/2'; -export DOS_AUTOVARINIT_KERNELS=('essential/msm8998' 'fxtec/msm8998' 'google/coral' 'google/msm-4.9' 'google/sunfish' 'google/wahoo' 'oneplus/msm8996' 'oneplus/msm8998' 'oneplus/sdm845' 'oneplus/sm7250' 'oneplus/sm8150' 'razer/msm8998' 'razer/sdm845' 'sony/sdm660' 'sony/sdm845' 'xiaomi/sdm660' 'xiaomi/sdm845' 'xiaomi/sm6150' 'xiaomi/sm8150' 'xiaomi/sm8250' 'zuk/msm8996'); #redbull already supports init_stack_all_zero #Servers export DOS_DEFAULT_DNS_PRESET="Quad9"; #Sets default DNS. Options: See changeDefaultDNS() in Scripts/Common/Functions.sh