Linux 5.15 Working Towards Comprehensive Compile-Time & Run-Time Detection Of Buffer Overflows

Written by Michael Larabel in Linux Security on 3 September 2021 at 07:17 AM EDT. 38 Comments
The latest security effort being pursued by Google's Kees Cook is to provide full compile-time and run-time coverage of all detectable buffer overflows.

This compile/run-time detection of buffer overflows for the Linux kernel would include coverage of such overflows via array indexing or memcpy(), memmove(), and memset() while the str*() functions already boast full coverage.

Kernel developers have been working towards this mission for some time while in Linux 5.15 is a big batch of the buffer overflow detection improvements, including some new common helpers along with other low-level improvements.

Kees Cook noted with the overflow update, "After this series (and the changes that have now landed via netdev and usb), we are so very close to finally being able to build with -Warray-bounds and -Wzero-length-bounds. However, due two recently found corner cases in GCC[3] and Clang[4], I have not included the last two patches that turn on these options, as I don't want to introduce any known warnings to the build. I am expecting to solve them before rc2, though, so hopefully there will be a small follow-up to this series before then."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week