From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: "devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"kbuild-all@lists.01.org" <kbuild-all@lists.01.org>,
"lkp@intel.com" <lkp@intel.com>,
"robh@kernel.org" <robh@kernel.org>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
"bauerman@linux.ibm.com" <bauerman@linux.ibm.com>,
'Daniel Axtens' <dja@axtens.net>
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Thu, 22 Apr 2021 12:34:24 +0300 [thread overview]
Message-ID: <20210422093424.GL1959@kadam> (raw)
In-Reply-To: <3e6b31d92d5042d982daeb989e49299e@AcuMS.aculab.com>
On Thu, Apr 22, 2021 at 08:05:27AM +0000, David Laight wrote:
> From: Daniel Axtens
> > Sent: 22 April 2021 03:21
> >
> > > Hi Lakshmi,
> > >
> > >> On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> > >>
> > >> Sorry - missed copying device-tree and powerpc mailing lists.
> > >>
> > >>> There are a few "goto out;" statements before the local variable "fdt"
> > >>> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> > >>> elf64_load(). This will result in an uninitialized "fdt" being passed
> > >>> to kvfree() in this function if there is an error before the call to
> > >>> of_kexec_alloc_and_setup_fdt().
> > >>>
> > >>> Initialize the local variable "fdt" to NULL.
> > >>>
> > > I'm a huge fan of initialising local variables! But I'm struggling to
> > > find the code path that will lead to an uninit fdt being returned...
> >
> > OK, so perhaps this was putting it too strongly. I have been bitten
> > by uninitialised things enough in C that I may have taken a slightly
> > overly-agressive view of fixing them in the source rather than the
> > compiler. I do think compiler-level mitigations are better, and I take
> > the point that we don't want to defeat compiler checking.
> >
> > (Does anyone - and by anyone I mean any large distro - compile with
> > local variables inited by the compiler?)
>
> There are compilers that initialise locals to zero for 'debug' builds
> and leave the 'random' for optimised 'release' builds.
> Lets not test what we are releasing!
We're eventually going to move to a world where initializing to zero
it the default for the kernel. I think people will still want to
initialize to a poison value for debug builds.
Initializing to zero is better for debugging because it's more
predictable. An it avoid information leaks. And dereferencing random
uninitialized pointers is a privilege escalation but dereferencing a
NULL is just an Oops.
The speed impact is not very significant because (conceptually) it only
needs to be done where there is a compiler warning about uninitialized
variables. It's slightly more complicated in real life. In this case,
the compiler doesn't know what happens inside the kexec_build_elf_info()
function so it silences the warning. And GCC silences warnings if the
variable is initialized inside a loop even when it doesn't know that we
enter the loop.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: "'Daniel Axtens'" <dja@axtens.net>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
"robh@kernel.org" <robh@kernel.org>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
"kbuild-all@lists.01.org" <kbuild-all@lists.01.org>,
"bauerman@linux.ibm.com" <bauerman@linux.ibm.com>,
"lkp@intel.com" <lkp@intel.com>
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Thu, 22 Apr 2021 12:34:24 +0300 [thread overview]
Message-ID: <20210422093424.GL1959@kadam> (raw)
In-Reply-To: <3e6b31d92d5042d982daeb989e49299e@AcuMS.aculab.com>
On Thu, Apr 22, 2021 at 08:05:27AM +0000, David Laight wrote:
> From: Daniel Axtens
> > Sent: 22 April 2021 03:21
> >
> > > Hi Lakshmi,
> > >
> > >> On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> > >>
> > >> Sorry - missed copying device-tree and powerpc mailing lists.
> > >>
> > >>> There are a few "goto out;" statements before the local variable "fdt"
> > >>> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> > >>> elf64_load(). This will result in an uninitialized "fdt" being passed
> > >>> to kvfree() in this function if there is an error before the call to
> > >>> of_kexec_alloc_and_setup_fdt().
> > >>>
> > >>> Initialize the local variable "fdt" to NULL.
> > >>>
> > > I'm a huge fan of initialising local variables! But I'm struggling to
> > > find the code path that will lead to an uninit fdt being returned...
> >
> > OK, so perhaps this was putting it too strongly. I have been bitten
> > by uninitialised things enough in C that I may have taken a slightly
> > overly-agressive view of fixing them in the source rather than the
> > compiler. I do think compiler-level mitigations are better, and I take
> > the point that we don't want to defeat compiler checking.
> >
> > (Does anyone - and by anyone I mean any large distro - compile with
> > local variables inited by the compiler?)
>
> There are compilers that initialise locals to zero for 'debug' builds
> and leave the 'random' for optimised 'release' builds.
> Lets not test what we are releasing!
We're eventually going to move to a world where initializing to zero
it the default for the kernel. I think people will still want to
initialize to a poison value for debug builds.
Initializing to zero is better for debugging because it's more
predictable. An it avoid information leaks. And dereferencing random
uninitialized pointers is a privilege escalation but dereferencing a
NULL is just an Oops.
The speed impact is not very significant because (conceptually) it only
needs to be done where there is a compiler warning about uninitialized
variables. It's slightly more complicated in real life. In this case,
the compiler doesn't know what happens inside the kexec_build_elf_info()
function so it silences the warning. And GCC silences warnings if the
variable is initialized inside a loop even when it doesn't know that we
enter the loop.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load()
Date: Thu, 22 Apr 2021 12:34:24 +0300 [thread overview]
Message-ID: <20210422093424.GL1959@kadam> (raw)
In-Reply-To: <3e6b31d92d5042d982daeb989e49299e@AcuMS.aculab.com>
[-- Attachment #1: Type: text/plain, Size: 2441 bytes --]
On Thu, Apr 22, 2021 at 08:05:27AM +0000, David Laight wrote:
> From: Daniel Axtens
> > Sent: 22 April 2021 03:21
> >
> > > Hi Lakshmi,
> > >
> > >> On 4/15/21 12:14 PM, Lakshmi Ramasubramanian wrote:
> > >>
> > >> Sorry - missed copying device-tree and powerpc mailing lists.
> > >>
> > >>> There are a few "goto out;" statements before the local variable "fdt"
> > >>> is initialized through the call to of_kexec_alloc_and_setup_fdt() in
> > >>> elf64_load(). This will result in an uninitialized "fdt" being passed
> > >>> to kvfree() in this function if there is an error before the call to
> > >>> of_kexec_alloc_and_setup_fdt().
> > >>>
> > >>> Initialize the local variable "fdt" to NULL.
> > >>>
> > > I'm a huge fan of initialising local variables! But I'm struggling to
> > > find the code path that will lead to an uninit fdt being returned...
> >
> > OK, so perhaps this was putting it too strongly. I have been bitten
> > by uninitialised things enough in C that I may have taken a slightly
> > overly-agressive view of fixing them in the source rather than the
> > compiler. I do think compiler-level mitigations are better, and I take
> > the point that we don't want to defeat compiler checking.
> >
> > (Does anyone - and by anyone I mean any large distro - compile with
> > local variables inited by the compiler?)
>
> There are compilers that initialise locals to zero for 'debug' builds
> and leave the 'random' for optimised 'release' builds.
> Lets not test what we are releasing!
We're eventually going to move to a world where initializing to zero
it the default for the kernel. I think people will still want to
initialize to a poison value for debug builds.
Initializing to zero is better for debugging because it's more
predictable. An it avoid information leaks. And dereferencing random
uninitialized pointers is a privilege escalation but dereferencing a
NULL is just an Oops.
The speed impact is not very significant because (conceptually) it only
needs to be done where there is a compiler warning about uninitialized
variables. It's slightly more complicated in real life. In this case,
the compiler doesn't know what happens inside the kexec_build_elf_info()
function so it silences the warning. And GCC silences warnings if the
variable is initialized inside a loop even when it doesn't know that we
enter the loop.
regards,
dan carpenter
next prev parent reply other threads:[~2021-04-22 9:35 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 19:14 [PATCH] powerpc: Initialize local variable fdt to NULL in elf64_load() Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-15 19:18 ` Lakshmi Ramasubramanian
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 6:44 ` Daniel Axtens
2021-04-16 7:00 ` Christophe Leroy
2021-04-16 7:00 ` Christophe Leroy
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 8:09 ` Dan Carpenter
2021-04-16 12:19 ` Michael Ellerman
2021-04-16 12:19 ` Michael Ellerman
2021-04-16 7:40 ` Dan Carpenter
2021-04-16 7:40 ` Dan Carpenter
2021-04-16 7:40 ` Dan Carpenter
2021-04-16 9:05 ` Michael Ellerman
2021-04-16 9:05 ` Michael Ellerman
2021-04-16 14:37 ` Lakshmi Ramasubramanian
2021-04-16 14:37 ` Lakshmi Ramasubramanian
2021-04-19 23:30 ` Michael Ellerman
2021-04-19 23:30 ` Michael Ellerman
2021-04-20 1:33 ` Lakshmi Ramasubramanian
2021-04-20 1:33 ` Lakshmi Ramasubramanian
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:00 ` Dan Carpenter
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 5:20 ` Lakshmi Ramasubramanian
2021-04-20 13:06 ` Rob Herring
2021-04-20 13:06 ` Rob Herring
2021-04-20 13:06 ` Rob Herring
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 14:42 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:04 ` Lakshmi Ramasubramanian
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:47 ` Rob Herring
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-20 15:55 ` Lakshmi Ramasubramanian
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 2:21 ` Daniel Axtens
2021-04-22 8:05 ` David Laight
2021-04-22 8:05 ` David Laight
2021-04-22 9:34 ` Dan Carpenter [this message]
2021-04-22 9:34 ` Dan Carpenter
2021-04-22 9:34 ` Dan Carpenter
2021-04-22 16:54 ` Segher Boessenkool
2021-04-22 16:54 ` Segher Boessenkool
2021-04-23 13:50 ` Michael Ellerman
2021-04-23 13:50 ` Michael Ellerman
2021-04-23 14:42 ` David Laight
2021-04-23 14:42 ` David Laight
2021-04-23 15:11 ` Rob Herring
2021-04-23 15:11 ` Rob Herring
2021-04-23 15:11 ` Rob Herring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210422093424.GL1959@kadam \
--to=dan.carpenter@oracle.com \
--cc=David.Laight@ACULAB.COM \
--cc=bauerman@linux.ibm.com \
--cc=devicetree@vger.kernel.org \
--cc=dja@axtens.net \
--cc=kbuild-all@lists.01.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=nramas@linux.microsoft.com \
--cc=robh@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.