Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1098966ybt; Sun, 14 Jun 2020 10:18:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwv7PRvPcgtntN+mOmDH/r704VN0WiAkh1IvH897C2VviNC31D4w7bE2QeIqupGqYnLz3yz X-Received: by 2002:a17:906:1804:: with SMTP id v4mr21555283eje.104.1592155133205; Sun, 14 Jun 2020 10:18:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592155133; cv=none; d=google.com; s=arc-20160816; b=etWn+H+/qPdJAF/miC4B2fEzV3rqPBcddwjY83Qnvj/m7KjbnQ6Pd2b7L1RDMzRtQd zy1IUNf0X3K+Zw3+9HpZbPR9B39a2dSN5W6P8haGCQluSuwnmlZIAFbBxv+EDDNQE1Gn 3+qL7n+qhosIkEXJaW25A4G2rIYbeW+RWRad3YCdzEA7jltnYBV/R8/EG0qX4zCKos0O SYgRi73RzJYjm8sfmNVx5WSP7TegZN/D0TZjSkIbgZ5vgRZq7lQwqrdMJzWfpQM9XjRT jv+AWSflntF8eZOkLfSGcpmLkYJgfefLiMniJpMsgpDxOZwKXW2y01eRnMCzgPXOSxyA c7Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=1NB/Urk4sJ7NmljdwQD2Dnqq/4/xbrUeJIHIJ24wA9w=; b=JAfgoW5YURumFhdjKpKIah/m07cyxW6ptA1VXh1PnKwYsyx5D19rW4fyZv3Qj0T/Zb CKSHG2T37pVAfyLYoxenU7yCWsJLeL7u0QSKHcJ3WQXUM7rWYM4dE2Jqj0OYu5zKaXUe MvZ20g2tQCoWaAjyMjj0LgkYeiHZEZAGnS8pGPzzF8/ly6DbX1CEHzm5Ju1Gj1i+87/j DpKE6OZB5l0shvoxyLsDJVBXBC62/X7NViejfxZ3kR9hRHGwgxu1wyTeY9E1H4bCPwKp AlMrnssCGk/w2sOwR3aXFye/wiDvlQpR7MlxTaoZLCN9XOcjNiF9ZdmG/LSWLKnDUcjA VAWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QAHhEFxe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u20si6967192edq.15.2020.06.14.10.18.30; Sun, 14 Jun 2020 10:18:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QAHhEFxe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727001AbgFNRQu (ORCPT + 99 others); Sun, 14 Jun 2020 13:16:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726966AbgFNRQs (ORCPT ); Sun, 14 Jun 2020 13:16:48 -0400 Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1B9DC03E969 for ; Sun, 14 Jun 2020 10:16:46 -0700 (PDT) Received: by mail-wm1-x342.google.com with SMTP id g10so12358365wmh.4 for ; Sun, 14 Jun 2020 10:16:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1NB/Urk4sJ7NmljdwQD2Dnqq/4/xbrUeJIHIJ24wA9w=; b=QAHhEFxeJmo0Om8T1XowjgXKEOtxoTEUtMZtDrPDZ16145txGi0czO09BgNHN6gHKc Hqng+qmsvf0PiYElL5AYpW0PlOZar/aOBcvHd1iMzOfCMA9Qz5zA50S1NrmxuZ/DueoO F20OgRGR60ysi4D1Xieo5pYVvVpPUfFqsXIKHRmamJAxD18hB+RXmqa5K2JpeAmJJG3/ lzF83lZZPc62cgwg67PFw60FRz0XJm1BqWuzxfS3qFVm+NNwvel93rCRiQB+E+araGBV YaJ/eOuO7WhyU6kpAYespn4cTCZcBG8/JnTgfH/6xHCHA53xX36xR4Ing06Qdw9Q7p6i Ed1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1NB/Urk4sJ7NmljdwQD2Dnqq/4/xbrUeJIHIJ24wA9w=; b=d8h6OUBlrEfQCxQDfEIGUwxXwe6eKKFOkQ14jLAoZ61LSs5hknRTdUjICYvivQGLxp VDJU44ehiKW6UT84a1ZcOwBb8RQtTnQB63Ricb5G++kPsMFHKA94Aa8X+SF1fhEgoyS9 Xv/XldEZZ01jdrZcQlSyWJSi2jkC+l0I9blIg49MiUSUxFbm5kQkg2Fxh5FsO5Sb9dJm PaDaEnrVDpmZm0P4ZvYvPb6FreM91AGaju35nzTpMsim39o/2I+xzSCS7KOwAUjsAsac j/qNmaBsWhQZ2fol/e0lSqij6PeFMbaRPElFzIyWuN55Dv+1Wn5aQHEB8rZ0XG8Paztj QT1g== X-Gm-Message-State: AOAM533jbcYAj4iXar0sfAJsQnTjedpcKbnkU93Vk3rhTW100EYs/vyI otg6q9v3Ixki/SAp/VC2mOne80+baIh9TZwMY4l9RQ== X-Received: by 2002:a1c:2082:: with SMTP id g124mr9383717wmg.21.1592155004853; Sun, 14 Jun 2020 10:16:44 -0700 (PDT) MIME-Version: 1.0 References: <20200614144534.237035-1-glider@google.com> <202006141000.B93DF245@keescook> In-Reply-To: <202006141000.B93DF245@keescook> From: Alexander Potapenko Date: Sun, 14 Jun 2020 19:16:33 +0200 Message-ID: Subject: Re: [PATCH] [RFC] security: allow using Clang's zero initialization for stack variables To: Kees Cook Cc: Masahiro Yamada , James Morris , =?UTF-8?Q?Maciej_=C5=BBenczykowski?= , Nick Desaulniers , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 14, 2020 at 7:04 PM Kees Cook wrote: > > On Sun, Jun 14, 2020 at 04:45:34PM +0200, glider@google.com wrote: > > In addition to -ftrivial-auto-var-init=pattern (used by > > CONFIG_INIT_STACK_ALL now) Clang also supports zero initialization for > > locals enabled by -ftrivial-auto-var-init=zero. > > The future of this flag is still being debated, see > > https://bugs.llvm.org/show_bug.cgi?id=45497 > > Right now it is guarded by another flag, > > -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang, > > which means it may not be supported by future Clang releases. > > Another possible resolution is that -ftrivial-auto-var-init=zero will > > persist (as certain users have already started depending on it), but the > > name of the guard flag will change. > > > > In the meantime, zero initialization has proven itself as a good > > production mitigation measure against uninitialized locals. Unlike > > pattern initialization, which has a higher chance of triggering existing > > bugs, zero initialization provides safe defaults for strings, pointers, > > indexes, and sizes. On the other hand, pattern initialization remains > > safer for return values. > > Performance-wise, the difference between pattern and zero initialization > > is usually negligible, although the generated code for zero > > initialization is more compact. > > > > The proposed config, CONFIG_USE_CLANG_ZERO_INITIALIZATION, makes > > CONFIG_INIT_STACK_ALL use zero initialization if the corresponding flags > > are supported by Clang. > > > > Cc: Kees Cook > > Cc: Nick Desaulniers > > Signed-off-by: Alexander Potapenko > > --- > > Makefile | 15 ++++++++++++++- > > security/Kconfig.hardening | 16 ++++++++++++++++ > > 2 files changed, 30 insertions(+), 1 deletion(-) > > > > diff --git a/Makefile b/Makefile > > index fd31992bf918..2860bad7e39a 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -802,9 +802,22 @@ KBUILD_CFLAGS += -fomit-frame-pointer > > endif > > endif > > > > -# Initialize all stack variables with a pattern, if desired. > > +# Initialize all stack variables, if desired. > > ifdef CONFIG_INIT_STACK_ALL > > + > > +# Use pattern initialization by default. > > +ifndef CONFIG_USE_CLANG_ZERO_INITIALIZATION > > KBUILD_CFLAGS += -ftrivial-auto-var-init=pattern > > +else > > + > > +ifdef CONFIG_CC_HAS_AUTO_VAR_ZERO_INIT > > +# Future support for zero initialization is still being debated, see > > +# https://bugs.llvm.org/show_bug.cgi?id=45497. These flags are subject to being > > +# renamed or dropped. > > +KBUILD_CFLAGS += -ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang > > +endif > > + > > +endif > > endif > > I'd prefer this be split instead of built as a nested if (i.e. entirely > control section via the Kconfig -- see below). > > > > > DEBUG_CFLAGS := $(call cc-option, -fno-var-tracking-assignments) > > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > > index af4c979b38ee..299d27c6d78c 100644 > > --- a/security/Kconfig.hardening > > +++ b/security/Kconfig.hardening > > @@ -22,6 +22,9 @@ menu "Memory initialization" > > config CC_HAS_AUTO_VAR_INIT > > def_bool $(cc-option,-ftrivial-auto-var-init=pattern) > > > > +config CC_HAS_AUTO_VAR_ZERO_INIT > > + def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) > > + > > I'd like to be more specific here. Let's rename CC_HAS_AUTO_VAR_INIT to > CC_HAS_AUTO_VAR_INIT_PATTERN, and change the other to > CC_HAS_AUTO_VAR_INIT_ZERO (they then both match the word order of the > option, and the thing that changes is the last word). > > > choice > > prompt "Initialize kernel stack variables at function entry" > > default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS > > @@ -100,6 +103,19 @@ choice > > > > endchoice > > > > +config USE_CLANG_ZERO_INITIALIZATION > > + bool "Use Clang's zero initialization for local variables" > > + depends on CC_HAS_AUTO_VAR_ZERO_INIT > > + depends on INIT_STACK_ALL > > + help > > + If set, uses zeros instead of 0xAA to initialize local variables in > > + INIT_STACK_ALL. Zeroing the stack provides safer defaults for strings, > > + pointers, indexes, and sizes. The downsides are less-safe defaults for > > + return values, and exposing fewer bugs where the underlying code > > + relies on zero initialization. > > + The corresponding flag isn't officially supported by Clang and may > > + sooner or later go away or get renamed. > > + > > Similarly, I'd like to rename INIT_STACK_ALL to INIT_STACK_ALL_PATTERN > and then add INIT_STACK_ALL_ZERO. What are the policies regarding keeping the existing config flags? Don't we need to preserve INIT_STACK_ALL?