Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jL2TobMXH_UXasHCC2GrGrie7GOYn_J_=E23Qn_J66Ziw@mail.gmail.com>
Date: Wed, 2 Aug 2017 21:35:04 -0700
From: Kees Cook <keescook@...omium.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, 
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [RFC/RFT PATCH] gcc-plugins: force initialize auto variables
 whose addresses are taken

On Thu, Jul 6, 2017 at 4:16 PM, Kees Cook <keescook@...omium.org> wrote:
> On Thu, Jul 6, 2017 at 2:44 PM, Kees Cook <keescook@...omium.org> wrote:
>> On Thu, Jul 6, 2017 at 4:09 AM, Arnd Bergmann <arnd@...db.de> wrote:
>>> On Thu, Jul 6, 2017 at 12:13 PM, Ard Biesheuvel
>>> <ard.biesheuvel@...aro.org> wrote:
>>>> To prevent leaking stack contents in cases where it is not possible
>>>> for the compiler to figure out whether an automatic variable has been
>>>> initialized or not, add a plugin that forcibly initializes all automatic
>>>> variables of struct/union types if their address is taken at any point.
>>>>
>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
>>
>> Ard, I'd be curious what you see for "size" difference between builds
>> and if it's visible with hackbench or other things?
>
> Hm, not all that bad on the size front:
>
>    text                 data            bss                 dec
>             hex filename
> 10950705        5592525 13955072        30498302        1d15dfe vmlinux
> 11048035        5592365 13955072        30595472        1d2d990
> vmlinux.initautobyref
>
> And yes, as expected, wow there are a lot of notices in verbose mode. ;)
>
> My pet favorite, from the NAKed patch I sent forever ago, is covered
> (as expected):
>
> net/socket.c: In function ‘SYSC_getsockname’:
> net/socket.c:1605:26: note: auto variable will be forcibly initialized
>   struct sockaddr_storage address;
>                           ^~~~~~~

While this was an RFC, it seems to work well and, as Daniel mentioned,
provides another benchmark for future optimizations of this kind of
protection. Besides the COMPILE_TEST change already discussed, any
other changes or objections before I carry this in -next?

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.