lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202301121559.AE5064D@keescook>
Date:   Thu, 12 Jan 2023 16:10:08 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     gregkh@...uxfoundation.org, kees@...nel.org, linux@...ck-us.net,
        vbabka@...e.cz, stable-commits@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: Patch "gcc: disable -Warray-bounds for gcc-11 too" has been
 added to the 6.1-stable tree

On Thu, Jan 12, 2023 at 05:22:53PM -0600, Linus Torvalds wrote:
> But right now it seems a matter of "just by luck, we don't hit it
> anywhere else", and I'm not interested in playing any more
> whack-a-mole with this broken compiler option.

Okay, understood.

FWIW, I've been tracking these and getting reproducers so they can
get worked on. A few got fixed for GCC 12, and but not enough to turn
-Warray-bounds on there. More were fixed in GCC 13. So far, I'm aware
of these 3 getting fixed since we started trying to enable
-Warray-bounds:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105679
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101419

I recently reported 1:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108306

And these 3 are likely related, but for options we don't yet enable,
but seem to be internal issues with the value range handling (usually
when a sanitizer of one kind or another is enabled):

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97490
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101778

The powerpc issue hasn't been reported yet. It's my intention to do so
once I can get it minimized.

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ