Merge tag 'var-init-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull automatic variable initialization updates from Kees Cook: "This adds the "zero" init option from Clang, which is being used widely in production builds of Android and Chrome OS (though it also keeps the "pattern" init, which is better for debug builds). - Introduce CONFIG_INIT_STACK_ALL_ZERO (Alexander Potapenko)" * tag 'var-init-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: security: allow using Clang's zero initialization for stack variables

Merge tag 'var-init-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull automatic variable initialization updates from Kees Cook: "This adds the "zero" init option from Clang, which is being used widely in production builds of Android and Chrome OS (though it also keeps the "pattern" init, which is better for debug builds). - Introduce CONFIG_INIT_STACK_ALL_ZERO (Alexander Potapenko)" * tag 'var-init-v5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: security: allow using Clang's zero initialization for stack variables
5b5d3be5 · Linus Torvalds · 3e4a12a1 · f0fe00d4 · 5b5d3be5 · 5b5d3be5
Commit 5b5d3be5 authored Aug 04, 2020 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 11 deletions

Makefile Makefile +11 -2

init/main.c init/main.c +7 -5

security/Kconfig.hardening security/Kconfig.hardening +25 -4

No files found.
--- a/Makefile
+++ b/Makefile
@@ -803,11 +803,20 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
 endif
 endif
-# Initialize all stack variables with a pattern, if desired.
+# Initialize all stack variables with a 0xAA pattern.
-ifdef CONFIG_INIT_STACK_ALL
+ifdef CONFIG_INIT_STACK_ALL_PATTERN
 KBUILD_CFLAGS	+= -ftrivial-auto-var-init=pattern
 endif
+# Initialize all stack variables with a zero value.
+ifdef CONFIG_INIT_STACK_ALL_ZERO
+# Future support for zero initialization is still being debated, see
+# https://bugs.llvm.org/show_bug.cgi?id=45497. These flags are subject to being
+# renamed or dropped.
+KBUILD_CFLAGS	+= -ftrivial-auto-var-init=zero
+KBUILD_CFLAGS	+= -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
+endif
 DEBUG_CFLAGS	:= $(call cc-option, -fno-var-tracking-assignments)
 ifdef CONFIG_DEBUG_INFO

--- a/init/main.c
+++ b/init/main.c
@@ -779,14 +779,16 @@ static void __init report_meminit(void)
 {
 	const char *stack;
-	if (IS_ENABLED(CONFIG_INIT_STACK_ALL))
+	if (IS_ENABLED(CONFIG_INIT_STACK_ALL_PATTERN))
-		stack = "all";
+		stack = "all(pattern)";
+	else if (IS_ENABLED(CONFIG_INIT_STACK_ALL_ZERO))
+		stack = "all(zero)";
 	else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL))
-		stack = "byref_all";
+		stack = "byref_all(zero)";
 	else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF))
-		stack = "byref";
+		stack = "byref(zero)";
 	else if (IS_ENABLED(CONFIG_GCC_PLUGIN_STRUCTLEAK_USER))
-		stack = "__user";
+		stack = "__user(zero)";
 	else
 		stack = "off";

--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -19,13 +19,16 @@ config GCC_PLUGIN_STRUCTLEAK
 menu "Memory initialization"
-config CC_HAS_AUTO_VAR_INIT
+config CC_HAS_AUTO_VAR_INIT_PATTERN
 	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
+config CC_HAS_AUTO_VAR_INIT_ZERO
+	def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
 choice
 	prompt "Initialize kernel stack variables at function entry"
 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
-	default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
+	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
 	default INIT_STACK_NONE
 	help
 	  This option enables initialization of stack variables at
@@ -88,9 +91,9 @@ choice
 		  of uninitialized stack variable exploits and information
 		  exposures.
-	config INIT_STACK_ALL
+	config INIT_STACK_ALL_PATTERN
 		bool "0xAA-init everything on the stack (strongest)"
-		depends on CC_HAS_AUTO_VAR_INIT
+		depends on CC_HAS_AUTO_VAR_INIT_PATTERN
 		help
 		  Initializes everything on the stack with a 0xAA
 		  pattern. This is intended to eliminate all classes
@@ -98,6 +101,24 @@ choice
 		  exposures, even variables that were warned to have been
 		  left uninitialized.
+		  Pattern initialization is known to provoke many existing bugs
+		  related to uninitialized locals, e.g. pointers receive
+		  non-NULL values, buffer sizes and indices are very big.
+	config INIT_STACK_ALL_ZERO
+		bool "zero-init everything on the stack (strongest and safest)"
+		depends on CC_HAS_AUTO_VAR_INIT_ZERO
+		help
+		  Initializes everything on the stack with a zero
+		  value. This is intended to eliminate all classes
+		  of uninitialized stack variable exploits and information
+		  exposures, even variables that were warned to have been
+		  left uninitialized.
+		  Zero initialization provides safe defaults for strings,
+		  pointers, indices and sizes, and is therefore
+		  more suitable as a security mitigation measure.
 endchoice
 config GCC_PLUGIN_STRUCTLEAK_VERBOSE