Linux 5.15 Working Towards Comprehensive Compile-Time & Run-Time Detection Of Buffer Overflows
This compile/run-time detection of buffer overflows for the Linux kernel would include coverage of such overflows via array indexing or memcpy(), memmove(), and memset() while the str*() functions already boast full coverage.
Kernel developers have been working towards this mission for some time while in Linux 5.15 is a big batch of the buffer overflow detection improvements, including some new common helpers along with other low-level improvements.
Kees Cook noted with the overflow update, "After this series (and the changes that have now landed via netdev and usb), we are so very close to finally being able to build with -Warray-bounds and -Wzero-length-bounds. However, due two recently found corner cases in GCC and Clang, I have not included the last two patches that turn on these options, as I don't want to introduce any known warnings to the build. I am expecting to solve them before rc2, though, so hopefully there will be a small follow-up to this series before then."