lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Zv6BEO-1Y0oJ3krr@archlinux>
Date: Thu, 3 Oct 2024 13:33:36 +0200
From: Jan Hendrik Farr <kernel@...rr.cc>
To: Thorsten Blum <thorsten.blum@...lux.com>
Cc: Kees Cook <kees@...nel.org>, kent.overstreet@...ux.dev,
	regressions@...ts.linux.dev, linux-bcachefs@...r.kernel.org,
	linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
	ardb@...nel.org, morbo@...gle.com
Subject: Re: [REGRESSION][BISECTED] erroneous buffer overflow detected in
 bch2_xattr_validate

On 02 11:18:57, Thorsten Blum wrote:
> On 28. Sep 2024, at 22:34, Kees Cook <kees@...nel.org> wrote:
> > [...]
> > 
> > Sorry, I've been out of commission with covid. Globally disabling this
> > macro for clang is not the right solution (way too big a hammer).
> > 
> > Until Bill has a fix, we can revert commit
> > 86e92eeeb23741a072fe7532db663250ff2e726a, as the problem is limited to
> > certain situations where 'counted_by' is in use.
> 
> I already encountered two other related __counted_by() issues [1][2]
> that are now being reverted. Would it be an option to disable it
> globally, but only for Clang < v19 (where it looks like it'll be fixed)?
> 
> Otherwise adding __counted_by() might be a slippery slope for a long
> time and the edge cases don't seem to be that rare anymore.
> 
> Thanks,
> Thorsten
> 
> [1] https://lore.kernel.org/all/20240909162725.1805-2-thorsten.blum@toblux.com/
> [2] https://lore.kernel.org/all/20240923213809.235128-2-thorsten.blum@linux.dev/

This issue is now fixed on the llvm main branch:
https://github.com/llvm/llvm-project/commit/882457a2eedbe6d53161b2f78fcf769fc9a93e8a

So presumably this will go into 19.1.2, not sure what this means for
distros that ship clang 18. Will they have to be notified to backport
this?

Best Regards
Jan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ