lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 5 Sep 2021 11:31:44 -0700
From:   Kees Cook <>
To:     Linus Torvalds <>
Cc:     Linux Kernel Mailing List <>,
        Arnd Bergmann <>, Daniel Vetter <>,
        Dan Williams <>,
        Rasmus Villemoes <>,
        Greg Kroah-Hartman <>,
        "Gustavo A. R. Silva" <>,
        Keith Packard <>,
        Nathan Chancellor <>,
        Nick Desaulniers <>,
Subject: Re: [GIT PULL] overflow updates for v5.15-rc1

On Sun, Sep 05, 2021 at 10:36:22AM -0700, Linus Torvalds wrote:
> On Sun, Sep 5, 2021 at 12:38 AM Kees Cook <> wrote:
> >
> > Yeech. Yeah, no, that was not expected at all. I even did test merge builds against your latest tree before sending the Pull Request. This has been in -next for weeks, too.
> Sadly, I don't think linux-next checks for warnings.

Oh, I thought I'd gotten such reports from sfr before, but certainly the
0day bot and others have yelled loudly about new warnings (from earlier
iterations of this series in -next).

> I really want to enable -Werror at some point, but every time I think
> I should, I just end up worrying about another random new compiler (or
> a random old one).
> We do have -Werror in various configurations (and in some sub-trees).

Yup, I think ppc and drm?

> > What was the build environment?
> This is actually just bog-standard gcc-11.2 from F34, and an allmodconfig build.

Ah, fun. Yeah, I'm behind on versions, it seems. Default gcc version on
latest stable Ubuntu release is 10.3. I will go retest on the devel

> > Seeing an unexpected "-Wunused-value" in your output makes me think I've got a compiler version blind-spot, with some different default flags.)
> There were lots of other ones too, I just pasted a small subset. Thne
> full error log was 400+ lines. Most of those lines are just because of
> the very verbose warnings.
> Three errors due to "-Werror=unused-value", but 17 each of variations on
>     error: call to ‘__read_overflow’ declared with attribute error:
> detected read beyond size of object (1st parameter)
> and
>     warning: unsafe xyz() usage lacked '__read_overflow' warning
> warnings.
> Full 400+ lines (25kB) of errors/warnings messages attached in case
> you care about the whole thing and can't easily reproduce.

Yeah, the tests are designed to freak out if it gets an unexpected
warning (since it's trying to check for _expected_ warnings), but
regardless, they were not at all supposed to be spewing like this
immediately! :P

Sorry for the noise; I will get it cleaned up and re-sent.


Kees Cook

Powered by blists - more mailing lists