Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3223357imc;
        Wed, 13 Mar 2019 12:02:43 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwAXc5IAOuiZXcFXe8umqZexZvVY78+bE4k/uyQd8Ly60a+v0wAdAwjkOtok8eN6gFqRjPj
X-Received: by 2002:a63:4142:: with SMTP id o63mr16523465pga.81.1552503763111;
        Wed, 13 Mar 2019 12:02:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552503763; cv=none;
        d=google.com; s=arc-20160816;
        b=bvcvOda2OudpujXjttjXJb8o3GtA59jjv0WI7LoNwwGSNk7D81twnKzESRS2yM/FuZ
         qlHtQqk07IyhGc5KCZKigpybQ9VIbwMElDdaiSNSjnLRiPyjRL3zxPbozCaOGpFADyJy
         yPuPezvst2PUsAOhRfxQCye77BFk6wN56sbiFMcFrCIOKbAJsE0PI/yx/Vycd584/otU
         c3NvcU5mDea6cY8WvCQ0sIZssE/cjHz1hJo0RobN9B4r7x83qG0+pPi0h5puLdiXJWDX
         654W8nvUBv2P8xxNvYOqeKh65gqQ/I3B6qXsJYKdoCSpUxcgFAwXLpzn5S2cIsKZ/82y
         drcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=dBZn4GYyMZX/K4m+LAt7gWUi5uCn+rl6eJHOTlNHyVY=;
        b=d8bKG29jLVFb5ScH9fGq1JofWCQPsMgQ8p/Kcj2r/4tkxL3hchpVNhU79QWaauZdAR
         vf1SAvnuVBSxN+aIclIl+KvG9rM7KNL1J9dGcGtpBKjqcXu14Sfe5uE6ipk2CRrTfBsg
         nhz7+iHG9Rnh9MPBsXqcAZgNS4uxSzEU5VQh4xDFE6QSGmXtt6pkcNQ94jvgqtFu/KaF
         7vhZD+bhL8mQNWihvP/lpX9QKiGiRUnvQelYYDiN/k2tufxMtjZhdkCQ58wYyCliLvTV
         JesHjE5uPv42zYWVVU8g3IHKhENUc3Khx0293qdB84rj4QJXHchvgkaGR654rtXyzVho
         4v8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=HTAlHD1k;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i185si11433224pfe.4.2019.03.13.12.02.26;
        Wed, 13 Mar 2019 12:02:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=HTAlHD1k;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726933AbfCMTBz (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Wed, 13 Mar 2019 15:01:55 -0400
Received: from mail-vs1-f66.google.com ([209.85.217.66]:44466 "EHLO
        mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726420AbfCMTBy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 15:01:54 -0400
Received: by mail-vs1-f66.google.com with SMTP id b8so1685599vsq.11
        for <linux-kernel@vger.kernel.org>; Wed, 13 Mar 2019 12:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=dBZn4GYyMZX/K4m+LAt7gWUi5uCn+rl6eJHOTlNHyVY=;
        b=HTAlHD1kec//MROmxcFTBrKcRRR/5aVPTm7KohV4xOSCARRJd8gbqGUSBNdc0SX+wk
         le0BZEiP4w3qZs/VUAqHOjoHDktACmxnbsrea0APcJl8JjvzcDMaXM03/PSpCdE8kZuk
         QR8luwiu3mRIpUVxaYjuSbgNG4iTEcG2vOJz8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=dBZn4GYyMZX/K4m+LAt7gWUi5uCn+rl6eJHOTlNHyVY=;
        b=S+8ZCGCdM8jlvSSaeDIwTQ855gQ7frN0eBmDjJA+7rQHVqkB3aAHYzfxhbwT/pJ3BB
         RBCof4PqIEuQrZlzfKwF3injuTT/irzvl2T47og0iKcom/PL0JV/W+lkAVN/ckdU7Tiw
         QwLv3MpxdxfG047aXhlgIgnoMk7qhJa2trj8XMHCiErsdaZ713Dyr8MU046Q7RoRRksk
         AK57t3zPTIb9GT0nwMjBTtJOXVldn8+Gpij0Rrq3HUEMT5cZimpOQZrbj69gFLonmUi0
         Ht3UnVGGKi/y1ybgkH53hHRWmcDVb7exJvWyYQyVz/OFM+sOmoPkJfA807tFfCUxMBbx
         W/1g==
X-Gm-Message-State: APjAAAUw+NGes2VYhcTjZzEjGLi/JUqWv0XWa9yBs6Jn3mfQ2Ex6WLUi
        vhOYRt1iveBCfYt2NH7orimai1b3zmw=
X-Received: by 2002:a67:fa8e:: with SMTP id f14mr23900578vsq.126.1552503712400;
        Wed, 13 Mar 2019 12:01:52 -0700 (PDT)
Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com. [209.85.222.52])
        by smtp.gmail.com with ESMTPSA id q75sm3176909vke.2.2019.03.13.12.01.51
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 13 Mar 2019 12:01:51 -0700 (PDT)
Received: by mail-ua1-f52.google.com with SMTP id u1so1036111uae.12
        for <linux-kernel@vger.kernel.org>; Wed, 13 Mar 2019 12:01:51 -0700 (PDT)
X-Received: by 2002:ab0:2b0b:: with SMTP id e11mr5095630uar.106.1552503710881;
 Wed, 13 Mar 2019 12:01:50 -0700 (PDT)
MIME-Version: 1.0
References: <20190212180441.15340-1-keescook@chromium.org> <20190212180441.15340-2-keescook@chromium.org>
 <fe87367b-f196-e8b0-6028-6378b65e5240@linux.com>
In-Reply-To: <fe87367b-f196-e8b0-6028-6378b65e5240@linux.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 13 Mar 2019 12:01:38 -0700
X-Gmail-Original-Message-ID: <CAGXu5jLFWv867UAL+eHoomcHFQNR3erWUChdFWSWPbehzqOzVg@mail.gmail.com>
Message-ID: <CAGXu5jLFWv867UAL+eHoomcHFQNR3erWUChdFWSWPbehzqOzVg@mail.gmail.com>
Subject: Re: [PATCH 1/2] gcc-plugins: structleak: Generalize to all variable types
To:     Alexander Popov <alex.popov@linux.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Emese Revfy <re.emese@gmail.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Laura Abbott <labbott@redhat.com>,
        Jann Horn <jannh@google.com>,
        Alexander Potapenko <glider@google.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Geert Uytterhoeven <geert@linux-m68k.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 11, 2019 at 4:05 PM Alexander Popov <alex.popov@linux.com> wrot=
e:
> Hello Kees, hello everyone,
>
> On 12.02.2019 21:04, Kees Cook wrote:
> > Building with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL should give the
> > kernel complete initialization coverage of all stack variables passed
> > by reference, including padding (see lib/test_stackinit.c).
>
> I would like to note that new STRUCTLEAK_BYREF_ALL initializes *less* sta=
ck
> variables than STACKINIT, that was introduced earlier:
> https://www.openwall.com/lists/kernel-hardening/2019/01/23/3
>
> Citing the patches:
> - the STACKINIT plugin "attempts to perform unconditional initialization =
of all
> stack variables";
> - the STRUCTLEAK_BYREF_ALL feature "gives the kernel complete initializat=
ion
> coverage of all stack variables passed by reference".

That's true, yes. STACKINIT was a port of Florian's patch to gcc which
looked only for missing initialization. However, this collides with
warnings about missing initialization. :)

So, given the case that the kernel builds with -Wuninitialized and
-Wmaybe-uninitialized, the preferred method of dealing with
non-by-reference missed initializations is to fix the code itself.
(i.e. kernel builds are expected to build without warnings.) It's only
the byref cases that there is no warning (and most authors refuse to
initialize such cases). Have there been security flaws where gcc
failed to warn a missed initialization that wasn't a byref case?

> I.e. stack variables not passed by reference are not initialized by
> STRUCTLEAK_BYREF_ALL.

Correct.

> Kees, what do you think about adding such cases to your lib/test_stackini=
t.c?
> This simple example demonstrates the idea:
>
>
> diff --git a/lib/test_stackinit.c b/lib/test_stackinit.c
> index 13115b6..f9ef313 100644
> --- a/lib/test_stackinit.c
> +++ b/lib/test_stackinit.c
> @@ -320,9 +320,18 @@ static noinline __init int leaf_switch_2_none(unsign=
ed long sp, bool fill,
>  DEFINE_TEST_DRIVER(switch_1_none, uint64_t, SCALAR);
>  DEFINE_TEST_DRIVER(switch_2_none, uint64_t, SCALAR);
>
> +struct x {
> +       int x1;
> +       int x2;
> +       int x3;
> +};
> +
>  static int __init test_stackinit_init(void)
>  {
>         unsigned int failures =3D 0;
> +       struct x _x;
> +
> +       printk("uninitialized struct fields sum: %d\n", _x.x1 + _x.x2 + _=
x.x3);

This would trip the build warnings:

In file included from ./include/linux/kernel.h:15:0,
                 from lib/test_stackinit.c:9:
lib/test_stackinit.c: In function =E2=80=98test_stackinit_init=E2=80=99:
./include/linux/printk.h:309:2: warning: =E2=80=98__x.x1=E2=80=99 is used
uninitialized in this function [-Wuninitialized]
  printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
  ^~~~~~

but those could be silenced for this object specifically if we really
wanted to add it. I think it'd be fine to add this to the test, but
it's a known state, though, so I hadn't bothered with it.

--=20
Kees Cook