From: "Maciej Żenczykowski" <maze@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: yamada.masahiro@socionext.com, Kees Cook <keescook@chromium.org>,
jmorris@namei.org, Nick Desaulniers <ndesaulniers@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-security-module@vger.kernel.org,
Kernel hackers <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] [RFC] security: allow using Clang's zero initialization for stack variables
Date: Tue, 16 Jun 2020 01:41:31 -0700 [thread overview]
Message-ID: <CANP3RGfGThsMOyi2faZmWb5S8tner-aQOsppP=_1+Fm0TDO95w@mail.gmail.com> (raw)
In-Reply-To: <20200616083435.223038-1-glider@google.com>
> In addition to -ftrivial-auto-var-init=pattern (used by
> CONFIG_INIT_STACK_ALL now) Clang also supports zero initialization for
> locals enabled by -ftrivial-auto-var-init=zero.
> The future of this flag is still being debated, see
> https://bugs.llvm.org/show_bug.cgi?id=45497
> Right now it is guarded by another flag,
> -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang,
> which means it may not be supported by future Clang releases.
> Another possible resolution is that -ftrivial-auto-var-init=zero will
> persist (as certain users have already started depending on it), but the
> name of the guard flag will change.
>
> In the meantime, zero initialization has proven itself as a good
> production mitigation measure against uninitialized locals. Unlike
> pattern initialization, which has a higher chance of triggering existing
> bugs, zero initialization provides safe defaults for strings, pointers,
> indexes, and sizes. On the other hand, pattern initialization remains
> safer for return values.
> Performance-wise, the difference between pattern and zero initialization
> is usually negligible, although the generated code for zero
> initialization is more compact.
>
> This patch renames CONFIG_INIT_STACK_ALL to
> CONFIG_INIT_STACK_ALL_PATTERN and introduces another config option,
> CONFIG_INIT_STACK_ALL_ZERO, that enables zero initialization for locals
> if the corresponding flags are supported by Clang.
I'm a great fan of zero initialization as opposed to pattern.
I don't understand why clang is refusing to make this a supported option.
Anyway:
Reviewed-by: Maciej Żenczykowski <maze@google.com>
next prev parent reply other threads:[~2020-06-16 8:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 8:34 [PATCH v2] [RFC] security: allow using Clang's zero initialization for stack variables glider
2020-06-16 8:41 ` Maciej Żenczykowski [this message]
2020-06-16 9:08 ` Kees Cook
2020-06-16 10:03 ` Greg KH
2020-06-16 10:19 ` Maciej Żenczykowski
2020-06-16 12:05 ` Alexander Potapenko
2020-06-16 12:15 ` Alexander Potapenko
2020-06-16 12:20 ` Maciej Żenczykowski
2020-06-16 16:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANP3RGfGThsMOyi2faZmWb5S8tner-aQOsppP=_1+Fm0TDO95w@mail.gmail.com' \
--to=maze@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=ndesaulniers@google.com \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).