From bd2bb9e381cd14f88753dba16e173e4080076421 Mon Sep 17 00:00:00 2001
From: Tim Steinbach <tim@nequissimus.com>
Date: Wed, 24 Mar 2021 10:07:06 -0400
Subject: linux-hardened: Enable KFENCE

"Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety
error detector. KFENCE detects heap out-of-bounds access, use-after-free, and
invalid-free errors."
---
 pkgs/os-specific/linux/kernel/hardened/config.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'pkgs/os-specific/linux/kernel/hardened/config.nix')

diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index e4a7522fe59..20f9f5aaa14 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -91,4 +91,6 @@ assert (versionAtLeast version "4.9");
   CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
+  # Detect out-of-bound reads/writes and use-after-free
+  KFENCE = whenAtLeast "5.12" yes;
 }
-- 
cgit 1.4.1