Re: [kernel-hardening] Re: [RFC/RFT PATCH] gcc-plugins: force initialize auto variables whose addresses are taken

[Daniel Micay <danielmicay@gmail.com>]

On Fri, 2017-07-07 at 00:08 +0200, Arnd Bergmann wrote:
> On Thu, Jul 6, 2017 at 1:25 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> > On Thu, Jul 6, 2017 at 1:09 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> > > On Thu, Jul 6, 2017 at 12:13 PM, Ard Biesheuvel
> > 
> > Sorry, bad example, that one is a bit less undefined than
> > I thought, as it will produce the same result every time,
> > regardless of the stack contents. I'll try to come up
> > with another test program instead.
> 
> I've tried a few more things, but couldn't actually come up with an
> example
> that ends up using uninitialized stack values without also warning
> about it,
> so your plugin may actually cover the most important cases.
> 
> The remaining cases I found are either uninitialized uses that we get
> a compile-time warning for, or other kinds of undefined behavior
> (as in my earlier example).
> 
>          Arnd

The compiler will optimize out zeroing that's clearly redundant, so zero
initialization of all uninitialized variables is not really all of them
but rather the set that the compiler thinks could be used before they
get initialized. It makes sense to have that as an option. It's an
aggressive non-heuristic-based approach and yet it isn't as heavy as it
seems due to optimization.

It also provides another baseline to compare a heuristic against. No
automatic zeroing vs. all uninitialized variables zeroed vs. proposed
heuristic. Definitely worth including even if the main purpose is to
figure what's *not* being covered by chosen heuristics, especially after
optimization where they'll be more similar. You could find the cases
you're talking about by comparing the generated code with the zeroing
guided by the reference taken heuristic.