<div dir="ltr"><div dir="ltr">Very exciting, and long overdue. Thanks for doing this!<div>Countless security bugs would have been mitigated by this, see below. </div><div><br></div><div>Agree with the rationale: UUMs remain bugs, and we need to try hard to not let developers rely on auto-initialization. </div><div>(e.g. in future patches we may decide to change the patterns, or to make them different between the runs, etc)</div><div>All the old goodness (msan, -Wuninitialized, static analyses) is still relevant. </div><div><br></div><div>I am separately excited with this work because it is essentially a precursor to efficient support for ARM's memory tagging extension (MTE). </div><div>if we can make enough compiler optimizations to auto-initialize locals with low overhead, then MTE stack instrumentation will come for ~ free. </div><div><a href="http://llvm.org/devmtg/2018-10/talk-abstracts.html#talk16" target="_blank">http://llvm.org/devmtg/2018-10/talk-abstracts.html#talk16</a><br></div><div><br></div><div>Does -Wuninitialized still work with -ftrivial-auto-var-init=pattern|zero? <br></div><div><br></div><div>In later patches we may need to have flags to separately control auto-init of scalars, PODs, arrays of data, arrays of pointers, etc.</div><div>because in some cases we could achieve 90% of benefit at 10% of cost. </div><div><br></div><div>I think that zero-init is going to be substantially cheaper than pattern-init, but happy to be wrong. </div><div><br></div><div>Here are some links to bugs, vulnerabilities and full exploits based on uses of uninitialized memory. </div><div>The list is not exhaustive by any means, and we keep finding them every day. </div><div>The problem is, of course, that we don't find all of them. </div><div><br></div><div><span id="m_-7412996687227760023gmail-docs-internal-guid-380b8a4b-7fff-a69b-17ef-bcc78841f0c4"><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Linux kernel: </span><a href="https://github.com/google/kmsan/wiki/KMSAN-Trophies" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">KMSAN trophies</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://groups.google.com/forum/#!searchin/syzkaller-bugs/subject$3Akmsan" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">more trophies</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVEs</span></a></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Chrome: </span><a href="https://bugs.chromium.org/p/chromium/issues/list?can=1&q=Stability%3DMemory-MemorySanitizer+-status%3ADuplicate+-status%3AWontFix+Use-of-uninitialized-value" style="background-color:transparent;text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">700+ UMRs Chromium found by fuzzing</span></a><br></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Android: userspace: </span><a href="https://android.googlesource.com/platform/frameworks/av/+/d6bd6091686dd7ea3b410fb8dce3794429066453" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2018-9345</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">/</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2018-9346</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://android.googlesource.com/platform/system/media/+/12df4b05fd918d836636e21f783df7ad9d5e17a3" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2018-9420</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://android.googlesource.com/platform/frameworks/native/+/ff2171f2460e3a6d3443ab957732b8b7d4831d40" style="text-decoration-line:none" target="_blank"><span style="font-family:Roboto;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2018-9421</span></a><span style="font-family:Roboto;color:rgb(32,33,36);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">,</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> </span><a href="https://android.googlesource.com/platform/frameworks/av/+/86141f9df21cb8ac91f9cc9804f5b75d26d98996" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2017-13252</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">; kernel: </span><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8" style="text-decoration-line:none" target="_blank"><span style="font-family:Roboto;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2017-9075</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52" style="text-decoration-line:none" target="_blank"><span style="font-family:Roboto;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2017-9076</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, 12% of all bugs (</span><a href="https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">as of 2016</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">). </span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">OSS: </span><a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=use-of-uninitialized-value&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">700+ bugs in various OSS projects found by fuzzing</span></a></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Project Zero (P0) findings: ~</span><a href="https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=uninitialized+&colspec=ID+Status+Restrict+Reported+Vendor+Product+Finder+Summary&cells=ids" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">139 total</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">. </span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Mozilla: </span><a href="https://bugzilla.mozilla.org/buglist.cgi?keywords=csectype-uninitialized%2C%20&keywords_type=allwords&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&query_format=advanced&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">100+ bugs</span></a></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf" target="_blank" style="font-family:Arial,Helvetica,sans-serif;text-decoration-line:none"><span style="font-family:Arial;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline">"Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking"</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline"> (</span><span style="font-variant-numeric:normal;font-variant-east-asian:normal;color:rgb(34,34,34);vertical-align:baseline">Sections 3.5 and 6.1.2</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">)</span><br></p></li></ul></span></div><div><span id="m_-7412996687227760023gmail-docs-internal-guid-ed63a7e0-7fff-decb-5c90-d619effa81c1"><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Leaks of sensitive information</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Linux kernel: </span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1431" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1431</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">: disclosure of large chunks of kernel memory.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://alephsecurity.com/vulns/aleph-2016005" style="text-decoration-line:none" target="_blank"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://alephsecurity.com/vulns/aleph-2016005</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">: Android, </span><span style="color:rgb(34,34,34);font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">uninitialized kernel memory leak over USB</span></p></li></ul><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Windows kernel: </span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://menschers.com/2018/10/30/what-is-cve-2018-8493/" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2018-8493</span></a></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1276" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1276</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2017-8685) - a continuous leak of 1kB from the Windows kernel stack, discovered by diffing win32k.sys between Windows 7 and Windows 10. It enabled an attacker to e.g. perform system-wide keyboard sniffing to some extent. Mentioned in </span><a href="https://googleprojectzero.blogspot.com/2017/10/using-binary-diffing-to-discover.html" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">P0 blog</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> post about bindiffing.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1352" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1352</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2017-11817) - a leak of ~4kB of uninitialized Windows kernel pool memory to NTFS metadata upon mounting the file system, without requiring user interaction. Made it possible to "exfiltrate" kernel memory from a powered-on but locked Windows machine through the USB port.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1500" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1500</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2018-1037) - 3 kB of uninitialized user-mode heap memory leaking from Microsoft build servers into a small percentage of .pdb symbol files publicly available through the Microsoft Symbol Server.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1267" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1267</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2017-8680) - disclosure of a controlled number of uninitialized bytes from the Windows kernel pool.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=176" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#176</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#248</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=259" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#259</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=277" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#277</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=281" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#281</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2015-0089, many other CVEs) - a disclosure of uninitialized user/kernel-mode heap memory in the OpenType glyph outline VM program, which affected the Windows kernel, user-mode DirectWrite and WPF components, Adobe Reader, and Oracle Java. Discussed in detail in a </span><a href="https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">P0 blog post</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p></li></ul><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">User space:</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="text-decoration-line:underline;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><a href="https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html" style="text-decoration-line:none" target="_blank">*bleed continues</a></span></p></li></ul></ul><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Leaks of pointers (allows further attacks)</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Windows kernel:</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><span class="m_-7412996687227760023gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><br></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=825" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#825</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2016-3262) - rendering of uninitialized heap bytes as pixels in EMF files parsed by user-mode Microsoft GDI+. Considered a WontFix by Microsoft until it turned out that Office Online was vulnerable and could leak memory from Microsoft servers, at which point they fixed the bug.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=480" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#480</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2015-2433) - a 0-day Windows kernel memory disclosure that was discovered in the Hacking Team dump in July 2015, and was independently found by ex-P0 member Matt Tait. It was used in an exploit chain to defeat KASLR and reveal the base address of win32k.sys.</span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1153" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1153</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1159" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1159</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1191" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1191</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1268" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1268</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1275" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1275</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1311" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1311</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> - various examples of relatively long (~100+ bytes) continuous disclosure of Windows kernel memory, which could be easily used to de-aslr the kernel, leak stack cookies etc.</span></p></li></ul><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">MacOS kernel: </span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-2357" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2017-2357</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, CVE-2017-{13836, 13840, 13841, 13842}, </span></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1410" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#1410</span></a></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">(</span><a href="https://www.google.com/search?q=%22An+application+may+be+able+to+read+restricted+memory%22+inurl%3Asupport.apple.com&oq=%22An+application+may+be+able+to+read+restricted+memory%22+inurl%3Asupport.apple.com&aqs=chrome..69i57.2441j0j7&sourceid=chrome&ie=UTF-8" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">more of such</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">)</span></p></li></ul><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">User space:</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=711" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#711</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">: Android, uninitialized heap memory which could help break ASLR in a privileged process</span></p></li></ul></ul><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Privilege escalation / code execution</span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Linux kernel: </span><a href="https://groups.google.com/forum/#!msg/syzkaller-bugs/j5_w9tlG5Fo/esrHTJw0AwAJ" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">unauthorized access to IPC objects</span></a></p></li><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Windows kernel: </span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://blogs.technet.microsoft.com/srd/2017/06/20/tales-from-the-msrc-from-pixels-to-poc/" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2016-0040</span></a></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=177" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#177</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (CVE-2015-0090) - off-by-one in the OpenType glyph outline VM in the Windows kernel, which led to arbitrary read/write thanks to accessing uninitialized pointers. Successfully exploited for privilege escalation on Windows 8.1 64-bit, as shown </span><a href="https://www.youtube.com/watch?v=FVBSvjYQgq8" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(34,34,34);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p></li></ul><li dir="ltr" style="list-style-type:circle;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">MacOS kernel: </span></p></li><ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-2358" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2017-2358</span></a></p></li><li dir="ltr" style="list-style-type:square;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=618" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">#618</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> (</span><a href="https://support.apple.com/en-us/HT205732" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVE-2016-1721</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">): a local user may be able to execute arbitrary code with kernel privileges</span></p></li></ul></ul></ul></span></div><div><br></div><div><br></div><div>--kcc </div><div><br></div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Nov 15, 2018 at 2:53 PM JF Bastien via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Hello security fans!<div><br></div><div>I’ve just uploaded a patch proposing opt-in automatic variable initialization. I’d appreciate comments on the overall approach, as well as on the specific implementation.</div><div><br></div><div>Here’s the patch:</div><div><span class="m_-7412996687227760023m_5229101881933003366Apple-tab-span" style="white-space:pre-wrap"> </span><a href="https://reviews.llvm.org/D54604" target="_blank">https://reviews.llvm.org/D54604</a></div><div><br></div><div>And here’s the description:</div><div><br></div><div><br></div><div><div>Automatic variable initialization</div><div><br></div><div>Add an option to initialize automatic variables with either a pattern or with</div><div>zeroes. The default is still that automatic variables are uninitialized. Also</div><div>add attributes to request pattern / zero / uninitialized on a per-variable</div><div>basis, mainly to disable initialization of large stack arrays when deemed too</div><div>expensive.</div><div><br></div><div>This isn't meant to change the semantics of C and C++. Rather, it's meant to be</div><div>a last-resort when programmers inadvertently have some undefined behavior in</div><div>their code. This patch aims to make undefined behavior hurt less, which</div><div>security-minded people will be very happy about. Notably, this means that</div><div>there's no inadvertent information leak when:</div><div><br></div><div> - The compiler re-uses stack slots, and a value is used uninitialized.</div><div> - The compiler re-uses a register, and a value is used uninitialized.</div><div> - Stack structs / arrays / unions with padding are copied.</div><div><br></div><div>This patch only addresses stack and register information leaks. There's many</div><div>more infoleaks that we could address, and much more undefined behavior that</div><div>could be tamed. Let's keep this patch focused, and I'm happy to address related</div><div>issues elsewhere.</div><div><br></div><div>To keep the patch simple, only some `undef` is removed for now, see</div><div>`replaceUndef`. The padding-related infoleaks are therefore not all gone yet.</div><div>This will be addressed in a follow-up, mainly because addressing padding-related</div><div>leaks should be a stand-alone option which is implied by variable</div><div>initialization.</div><div><br></div><div>There are three options when it comes to automatic variable initialization:</div><div><br></div><div> 0. Uninitialized</div><div><br></div><div> This is C and C++'s default. It's not changing. Depending on code</div><div> generation, a programmer who runs into undefined behavior by using an</div><div> uninialized automatic variable may observe any previous value (including</div><div> program secrets), or any value which the compiler saw fit to materialize on</div><div> the stack or in a register (this could be to synthesize an immediate, to</div><div> refer to code or data locations, to generate cookies, etc).</div><div><br></div><div> 1. Pattern initialization</div><div><br></div><div> This is the recommended initialization approach. Pattern initialization's</div><div> goal is to initialize automatic variables with values which will likely</div><div> transform logic bugs into crashes down the line, are easily recognizable in</div><div> a crash dump, without being values which programmers can rely on for useful</div><div> program semantics. At the same time, pattern initialization tries to</div><div> generate code which will optimize well. You'll find the following details in</div><div> `patternFor`:</div><div><br></div><div> - Integers are initialized with repeated 0xAA bytes (infinite scream).</div><div> - Vectors of integers are also initialized with infinite scream.</div><div> - Pointers are initialized with infinite scream on 64-bit platforms because</div><div> it's an unmappable pointer value on architectures I'm aware of. Pointers</div><div> are initialize to 0x000000AA (small scream) on 32-bit platforms because</div><div> 32-bit platforms don't consistently offer unmappable pages. When they do</div><div> it's usually the zero page. As people try this out, I expect that we'll</div><div> want to allow different platforms to customize this, let's do so later.</div><div> - Vectors of pointers are initialized the same way pointers are.</div><div> - Floating point values and vectors are initialized with a vanilla quiet NaN</div><div> (e.g. 0x7ff00000 and 0x7ffe000000000000). We could use other NaNs, say</div><div> 0xfffaaaaa (negative NaN, with infinite scream payload). NaNs are nice</div><div> (here, anways) because they propagate on arithmetic, making it more likely</div><div> that entire computations become NaN when a single uninitialized value</div><div> sneaks in.</div><div> - Arrays are initialized to their homogeneous elements' initialization</div><div> value, repeated. Stack-based Variable-Length Arrays (VLAs) are</div><div> runtime-initialized to the allocated size (no effort is made for negative</div><div> size, but zero-sized VLAs are untouched even if technically undefined).</div><div> - Structs are initialized to their heterogeneous element's initialization</div><div> values. Zero-size structs are initialized as 0xAA since they're allocated</div><div> a single byte.</div><div> - Unions are initialized using the initialization for the largest member of</div><div> the union.</div><div><br></div><div> Expect the values used for pattern initialization to change over time, as we</div><div> refine heuristics (both for performance and security). The goal is truly to</div><div> avoid injecting semantics into undefined behavior, and we should be</div><div> comfortable changing these values when there's a worthwhile point in doing</div><div> so.</div><div><br></div><div> Why so much infinite scream? Repeated byte patterns tend to be easy to</div><div> synthesize on most architectures, and otherwise memset is usually very</div><div> efficient. For values which aren't entirely repeated byte patterns, LLVM</div><div> will often generate code which does memset + a few stores.</div><div><br></div><div> 2. Zero initialization</div><div><br></div><div> Zero initialize all values. This has the unfortunate side-effect of</div><div> providing semantics to otherwise undefined behavior, programs therefore</div><div> might start to rely on this behavior, and that's sad. However, some</div><div> programmers believe that pattern initialization is too expensive for them,</div><div> and data might show that they're right. The only way to make these</div><div> programmers wrong is to offer zero-initialization as an option, figure out</div><div> where they are right, and optimize the compiler into submission. Until the</div><div> compiler provides acceptable performance for all security-minded code, zero</div><div> initialization is a useful (if blunt) tool.</div><div><br></div><div>I've been asked for a fourth initialization option: user-provided byte value.</div><div>This might be useful, and can easily be added later.</div><div><br></div><div>Why is an out-of band initialization mecanism desired? We could instead use</div><div>-Wuninitialized! Indeed we could, but then we're forcing the programmer to</div><div>provide semantics for something which doesn't actually have any (it's</div><div>uninitialized!). It's then unclear whether `int derp = 0;` lends meaning to `0`,</div><div>or whether it's just there to shut that warning up. It's also way easier to use</div><div>a compiler flag than it is to manually and intelligently initialize all values</div><div>in a program.</div><div><br></div><div>Why not just rely on static analysis? Because it cannot reason about all dynamic</div><div>code paths effectively, and it has false positives. It's a great tool, could get</div><div>even better, but it's simply incapable of catching all uses of uninitialized</div><div>values.</div><div><br></div><div>Why not just rely on memory sanitizer? Because it's not universally available,</div><div>has a 3x performance cost, and shouldn't be deployed in production. Again, it's</div><div>a great tool, it'll find the dynamic uses of uninitialized variables that your</div><div>test coverage hits, but it won't find the ones that you encounter in production.</div><div><br></div><div>What's the performance like? Not too bad! Previous publications [0] have cited</div><div>2.7 to 4.5% averages. We've commmitted a few patches over the last few months to</div><div>address specific regressions, both in code size and performance. In all cases,</div><div>the optimizations are generally useful, but variable initialization benefits</div><div>from them a lot more than regular code does. We've got a handful of other</div><div>optimizations in mind, but the code is in good enough shape and has found enough</div><div>latent issues that it's a good time to get the change reviewed, checked in, and</div><div>have others kick the tires. We'll continue reducing overheads as we try this out</div><div>on diverse codebases.</div><div><br></div><div>Is it a good idea? Security-minded folks think so, and apparently so does the</div><div>Microsoft Visual Studio team [1] who say "Between 2017 and mid 2018, this</div><div>feature would have killed 49 MSRC cases that involved uninitialized struct data</div><div>leaking across a trust boundary. It would have also mitigated a number of bugs</div><div>involving uninitialized struct data being used directly.". They seem to use pure</div><div>zero initialization, and claim to have taken the overheads down to within noise.</div><div>Don't just trust Microsoft though, here's another relevant person asking for</div><div>this [2]. It's been proposed for GCC [3] and LLVM [4] before.</div><div><br></div><div>What are the caveats? A few!</div><div><br></div><div> - Variables declared in unreachable code, and used later, aren't initialized.</div><div> This goto, Duff's device, other objectionable uses of switch. This should</div><div> instead be a hard-error in any serious codebase.</div><div> - Volatile stack variables are still weird. That's pre-existing, it's really</div><div> the language's fault and this patch keeps it weird. We should deprecate</div><div> volatile [5].</div><div> - As noted above, padding isn't fully handled yet.</div><div><br></div><div>I don't think these caveats make the patch untenable because they can be</div><div>addressed separately.</div><div><br></div><div>Should this be on by default? Maybe, in some circumstances. It's a conversation</div><div>we can have when we've tried it out sufficiently, and we're confident that we've</div><div>eliminated enough of the overheads that most codebases would want to opt-in.</div><div>Let's keep our precious undefined behavior until that point in time.</div><div><br></div><div>How do I use it:</div><div><br></div><div> 1. On the command-line:</div><div><br></div><div> -ftrivial-auto-var-init=uninitialized (the default)</div><div> -ftrivial-auto-var-init=pattern</div><div> -ftrivial-auto-var-init=zero</div><div><br></div><div> 2. Using an attribute:</div><div><br></div><div> int dont_initialize_me __attribute((trivial_auto_init("uninitialized")));</div><div> int zero_me __attribute((trivial_auto_init("zero")));</div><div> int pattern_me __attribute((trivial_auto_init("pattern")));</div><div><br></div><div><br></div><div> [0]: <a href="https://users.elis.ugent.be/~jsartor/researchDocs/OOPSLA2011Zero-submit.pdf" target="_blank">https://users.elis.ugent.be/~jsartor/researchDocs/OOPSLA2011Zero-submit.pdf</a></div><div> [1]: <a href="https://twitter.com/JosephBialek/status/1062774315098112001" target="_blank">https://twitter.com/JosephBialek/status/1062774315098112001</a></div><div> [2]: <a href="https://outflux.net/slides/2018/lss/danger.pdf" target="_blank">https://outflux.net/slides/2018/lss/danger.pdf</a></div><div> [3]: <a href="https://gcc.gnu.org/ml/gcc-patches/2014-06/msg00615.html" target="_blank">https://gcc.gnu.org/ml/gcc-patches/2014-06/msg00615.html</a></div><div> [4]: <a href="https://github.com/AndroidHardeningArchive/platform_external_clang/commit/776a0955ef6686d23a82d2e6a3cbd4a6a882c31c" target="_blank">https://github.com/AndroidHardeningArchive/platform_external_clang/commit/776a0955ef6686d23a82d2e6a3cbd4a6a882c31c</a></div><div> [5]: <a href="http://wg21.link/p1152" target="_blank">http://wg21.link/p1152</a></div></div><div><br></div></div>_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div>