lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202109051257.29B29745C0@keescook>
Date:   Sun, 5 Sep 2021 13:52:29 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Arnd Bergmann <arnd@...db.de>, Daniel Vetter <daniel@...ll.ch>,
        Dan Williams <dan.j.williams@...el.com>,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Keith Packard <keithp@...thp.com>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        linux-hardening@...r.kernel.org
Subject: Re: [GIT PULL] overflow updates for v5.15-rc1

On Sun, Sep 05, 2021 at 10:36:22AM -0700, Linus Torvalds wrote:
> This is actually just bog-standard gcc-11.2 from F34, and an allmodconfig build.

I've checked this on F32 now, and I still wasn't seeing the testsuite
warnings. I did see this, though, unrelated to (but certainly thematically
associated with) the overflow series:

fs/qnx4/dir.c: In function 'qnx4_readdir':
fs/qnx4/dir.c:51:32: warning: 'strnlen' specified bound 48 exceeds source size 16 [-Wstringop-overread]
   51 |                         size = strnlen(de->di_fname, size);
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from fs/qnx4/qnx4.h:3,
                 from fs/qnx4/dir.c:16:
./include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
   45 |         char            di_fname[QNX4_SHORT_NAME_MAX];
      |                         ^~~~~~~~


> Three errors due to "-Werror=unused-value", but 17 each of variations on

These are just side-effects of the actual warning going "missing".

>     error: call to ‘__read_overflow’ declared with attribute error:
> detected read beyond size of object (1st parameter)
> 
> and
> 
>     warning: unsafe xyz() usage lacked '__read_overflow' warning
> 
> warnings.

The latter is complaining about not seeing the former... O_o

Oh... I found it:

>     error: call to ‘__read_overflow’ declared with attribute error:
                     ^               ^
vs:

      error: call to '__read_overflow' declared with attribute error:
                     ^               ^

Looks like it's LANG biting me! Ugh.

LANG=en.US.UTF-8 is '
LANG=C           is '
LANG=C.UTF-8     is `

Fedora uses C.UTF-8 by default, but my build tooling (and seemingly many
others) are using LANG=en_US.UTF-8 or LANG=C. Specifically, this appears
to be LC_NAME? Fixing now...

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ