Hello,
On Thursday, January 20, 2022 5:56:04 PM EST Marek Polacek wrote:
> > Are there plans to enable this flag so that all
applications, but more
> > importantly the kernel, are hardened against uninitialized stack
> > variables? This is one of the major classes of security bugs that
> > could potentially be eliminated during this mass rebuild.
>
> There are currently no plans that I am aware of that involve turning on
> '-ftrivial-auto-var-init=zero' in the short term for Fedora. CC'ing
Jakub
> and Marek to comment.
Also not aware of any plans to always enable it.
I think we should consider it. I'll start a new thread so that the topic is
clearer.
> It is something that should be discussed, turned on in Rawhide
first,
> and likely via redhat-rpm-config default flags first, and then we should
> fix any fallout.
>
> I'd only be comfortable if we did it early and worked through the
> consequences. So it could be something to discuss for F37.
Right. It reminds me of MALLOC_PERTURB_, but for automatic variables.
Obviously it's always important to measure its slowdown (maybe run a SPEC
benchmark) / compile time / stack usage. Some of it has been done:
https://gcc.gnu.org/pipermail/gcc-patches/2021-January/562872.html
but that was an early version of the patch. Still, it seems like it'd be
acceptable.
It's a new feature, only present in GCC 12 (which hasn't been released as
of now), so I think it needs more testing before it could be (considered
to be) enabled by default.
That's fine. I think F37 is a good target.
A good thing is that it doesn't suppress the -Wuninitialized
warning so
you still get a chance to fix your bugs. It also comes with an attribute
to keep variables uninitialized even when the options is turned on.
From what I've seen its the kernel that would most benefit from the option,
and it looks like it already has support for it:
CONFIG_INIT_STACK_ALL_ZERO
CONFIG_INIT_STACK_ALL_PATTERN
so maybe it's enough to enable it for the kernel. Or start there, see how
it does, then add it to our hardening flags.
Unless it's been reworked to also allow gcc, this was a clang only option.
There are a number of distributions that use clang as the compiler for the
whole project. But let's discuss this in a separate thread about this topic.
Best Regards,
-Steve