lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 31 Jan 2022 14:30:47 -0800
From:   Kees Cook <>
Subject: Re: [TCWG CI] Regression caused by linux: Makefile: Enable

On Sun, Jan 30, 2022 at 01:00:43AM +0000, wrote:
> [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds:
> commit d4e0dad4a0cd00d1518f2105ccbfee17e2aa44a7
> Author: Kees Cook <>
>     Makefile: Enable -Warray-bounds
> [...]
> # 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]

Thanks for the report!

Would it be possible to include the "inlined from" details in the email
summaries? Just getting a header file doesn't say where a header-defined
inline is being used.

For example, extracting from the build log, I can see more:

> 00:00:53 In file included from ./include/linux/io.h:13,
> 00:00:53                  from arch/arm/mach-cns3xxx/pm.c:8:
> 00:00:53 In function ‘__raw_readl’,
> 00:00:53     inlined from ‘cns3xxx_pwr_clk_en’ at arch/arm/mach-cns3xxx/pm.c:17:12:
> 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]
> 00:00:53   113 |         asm volatile("ldr %0, %1"
> 00:00:53       |         ^~~

Looks like something sees a "void" type... this smells like a compiler
bug. I haven't been able to reproduce this warning yet.

> [...]
> git clone
> # Fetch manifests and script
> mkdir -p artifacts/manifests
> curl -o artifacts/manifests/ --fail
> curl -o artifacts/manifests/ --fail
> curl -o artifacts/ --fail
> chmod +x artifacts/
> # Reproduce the baseline build (build all pre-requisites)
> ./jenkins-scripts/ @@ artifacts/manifests/

I couldn't find the compiler version anywhere in here. Could you include
the compiler and linker --version output in the build logs too?

Maybe something in near here, to get either CC or
CROSS_COMPILE + HOSTCC and ld_opt's --version output:

    local opts
    opts="CC=$(pwd)/bin/${rr[target]}-cc $ld_opt SUBLEVEL=0 EXTRAVERSION=-bisect"
    if [ x"${rr[target]}" != x"$(uname -m)" ]; then
	opts="$opts ARCH=$(print_kernel_target ${rr[target]})"
	opts="$opts CROSS_COMPILE=$(print_gnu_target ${rr[target]})-"
	opts="$opts HOSTCC=gcc"

It looks like maybe this is built under Ubuntu bionic? Or maybe focal? I
don't see the warning with any GCC version I've tested with: 11.2.0
(impish), 10.3.0 (hirsute), 9.3.0 (focal), nor 7.5.0 (bionic).

Do you have some further hints about this?


Kees Cook

Powered by blists - more mailing lists