summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorglider@google.com <glider@google.com>2020-06-16 10:34:35 +0200
committerKees Cook <keescook@chromium.org>2020-06-16 02:06:23 -0700
commitf0fe00d4972a8cd4b98cc2c29758615e4d51cdfe (patch)
tree1dd546fb0c485cc457e571626e64a38a2372be8f /init
parentb3a9e3b9622ae10064826dccb4f7a52bd88c7407 (diff)
downloadlinux-f0fe00d4972a8cd4b98cc2c29758615e4d51cdfe.tar.gz
linux-f0fe00d4972a8cd4b98cc2c29758615e4d51cdfe.tar.bz2
linux-f0fe00d4972a8cd4b98cc2c29758615e4d51cdfe.zip
security: allow using Clang's zero initialization for stack variables
In addition to -ftrivial-auto-var-init=pattern (used by CONFIG_INIT_STACK_ALL now) Clang also supports zero initialization for locals enabled by -ftrivial-auto-var-init=zero. The future of this flag is still being debated (see https://bugs.llvm.org/show_bug.cgi?id=45497). Right now it is guarded by another flag, -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang, which means it may not be supported by future Clang releases. Another possible resolution is that -ftrivial-auto-var-init=zero will persist (as certain users have already started depending on it), but the name of the guard flag will change. In the meantime, zero initialization has proven itself as a good production mitigation measure against uninitialized locals. Unlike pattern initialization, which has a higher chance of triggering existing bugs, zero initialization provides safe defaults for strings, pointers, indexes, and sizes. On the other hand, pattern initialization remains safer for return values. Chrome OS and Android are moving to using zero initialization for production builds. Performance-wise, the difference between pattern and zero initialization is usually negligible, although the generated code for zero initialization is more compact. This patch renames CONFIG_INIT_STACK_ALL to CONFIG_INIT_STACK_ALL_PATTERN and introduces another config option, CONFIG_INIT_STACK_ALL_ZERO, that enables zero initialization for locals if the corresponding flags are supported by Clang. Cc: Kees Cook <keescook@chromium.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Alexander Potapenko <glider@google.com> Link: https://lore.kernel.org/r/20200616083435.223038-1-glider@google.com Reviewed-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'init')
-rw-r--r--init/main.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/init/main.c b/init/main.c
index 0ead83e86b5a..9127b240fd26 100644
--- a/init/main.c
+++ b/init/main.c
@@ -779,14 +779,16 @@ static void __init report_meminit(void)
{
const char *stack;
- if (IS_ENABLED(CONFIG_INIT_STACK_ALL))
- stack = "all";
+ if (IS_ENABLED(CONFIG_INIT_STACK_ALL_PATTERN))
+ stack = "all(pattern)";
+ else if (IS_ENABLED(CONFIG_INIT_STACK_ALL_ZERO))
+ stack = "all(zero)";
else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL))
- stack = "byref_all";
+ stack = "byref_all(zero)";
else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF))
- stack = "byref";
+ stack = "byref(zero)";
else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_USER))
- stack = "__user";
+ stack = "__user(zero)";
else
stack = "off";