lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251119224426.work.380-kees@kernel.org>
Date: Wed, 19 Nov 2025 14:44:31 -0800
From: Kees Cook <kees@...nel.org>
To: "Gustavo A . R . Silva" <gustavoars@...nel.org>
Cc: Kees Cook <kees@...nel.org>,
	Nathan Chancellor <nathan@...nel.org>,
	Nicolas Schier <nicolas.schier@...ux.dev>,
	Masahiro Yamada <masahiroy@...nel.org>,
	Miguel Ojeda <ojeda@...nel.org>,
	linux-kbuild@...r.kernel.org,
	Thomas Weißschuh <thomas.weissschuh@...utronix.de>,
	Tamir Duberstein <tamird@...il.com>,
	linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: [PATCH] kbuild: Enable GCC diagnostic context for value-tracking warnings

Enable GCC 16's coming "-fdiagnostics-show-context=2" option[1] to
provide enhanced diagnostic information for value-tracking warnings, which
displays the control flow chain leading to the diagnostic. This covers our
existing use of -Wrestrict and -Wstringop-overread, and gets us closer to
enabling -Warray-bounds, -Wstringop-overflow, and -Wstringop-truncation.

The context depth of 2 provides the immediate decision path that led to
the problematic code location, showing conditional checks and branch
decisions that caused the warning. This will help us understand why
GCC's value-tracking analysis triggered the warning and makes it easier
to determine whether warnings are legitimate issues or false positives.

For example, an array bounds warning will now show the conditional
statements (like "if (i >= 4)") that established the out-of-bounds access
range, directly connecting the control flow to the warning location.
This is particularly valuable when GCC's interprocedural analysis can
generate warnings that are difficult to understand without seeing the
inferred control flow.

Link: https://github.com/gcc-mirror/gcc/commit/6faa3cfe60ff9769d1bebfffdd2c7325217d7389 [1]
Signed-off-by: Kees Cook <kees@...nel.org>
---
Cc: Gustavo A. R. Silva <gustavoars@...nel.org>
Cc: Nathan Chancellor <nathan@...nel.org>
Cc: Nicolas Schier <nicolas.schier@...ux.dev>
Cc: Masahiro Yamada <masahiroy@...nel.org>
Cc: Miguel Ojeda <ojeda@...nel.org>
Cc: <linux-kbuild@...r.kernel.org>
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Makefile b/Makefile
index d14824792227..d97452441cd0 100644
--- a/Makefile
+++ b/Makefile
@@ -940,6 +940,9 @@ KBUILD_CFLAGS += $(call cc-option,-fzero-init-padding-bits=all)
 # for the randomize_kstack_offset feature. Disable it for all compilers.
 KBUILD_CFLAGS	+= $(call cc-option, -fno-stack-clash-protection)
 
+# Get details on warnings generated due to GCC value tracking.
+KBUILD_CFLAGS	+= $(call cc-option, -fdiagnostics-show-context=2)
+
 # Clear used registers at func exit (to reduce data lifetime and ROP gadgets).
 ifdef CONFIG_ZERO_CALL_USED_REGS
 KBUILD_CFLAGS	+= -fzero-call-used-regs=used-gpr
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ