<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Responding to Kostya and Chandler inline:</div><br class=""><blockquote type="cite" class=""><div class="">On Nov 15, 2018, at 5:26 PM, Kostya Serebryany <<a href="mailto:kcc@google.com" class="">kcc@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class="">Very exciting, and long overdue. Thanks for doing this!<div class="">Countless security bugs would have been mitigated by this, see below. </div><div class=""><br class=""></div><div class="">Agree with the rationale: UUMs remain bugs, and we need to try hard to not let developers rely on auto-initialization. </div><div class="">(e.g. in future patches we may decide to change the patterns, or to make them different between the runs, etc)</div></div></div></div></blockquote><div class=""><br class=""></div><div class="">Agreed. Chandler has good suggestions along those lines in his reply.</div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="">All the old goodness (msan, -Wuninitialized, static analyses) is still relevant. </div><div class=""><br class=""></div><div class="">I am separately excited with this work because it is essentially a precursor to efficient support for ARM's memory tagging extension (MTE). </div><div class="">if we can make enough compiler optimizations to auto-initialize locals with low overhead, then MTE stack instrumentation will come for ~ free. </div><div class=""><a href="http://llvm.org/devmtg/2018-10/talk-abstracts.html#talk16" target="_blank" class="">http://llvm.org/devmtg/2018-10/talk-abstracts.html#talk16</a><br class=""></div><div class=""><br class=""></div><div class="">Does -Wuninitialized still work with -ftrivial-auto-var-init=pattern|zero? </div></div></div></div></blockquote><div class=""><br class=""></div><div class="">AFAIK, yes. When you run this:</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><font face="Courier" class="">clang -cc1 test/Sema/uninit-variables.c -fblocks -Wuninitialized -Wconditional-uninitialized -ftrivial-auto-var-init=pattern</font></div></blockquote><div class="">You get the same 41 initialization warnings as you do without <font face="Courier" class="">-ftrivial-auto-var-init={pattern|zero}</font> (i.e. <font face="Courier" class="">-verify</font> passes).</div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="">In later patches we may need to have flags to separately control auto-init of scalars, PODs, arrays of data, arrays of pointers, etc.</div><div class="">because in some cases we could achieve 90% of benefit at 10% of cost. </div></div></div></div></blockquote><div class=""><br class=""></div><div class="">Maybe? I’m hoping that we can quantify the cost and drive it close enough to zero that you’ll be wrong :-)</div><div class="">Adding the flags and collecting the data as you suggest won’t be hard, but likely not worth doing before we’ve spent some time driving down costs.</div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="">I think that zero-init is going to be substantially cheaper than pattern-init, but happy to be wrong. </div></div></div></div></blockquote><div class=""><br class=""></div><div class="">I suspect that you’re right for now, and as I discussed with Tim I’d like to get to a point where you’re happily wrong.</div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="">Here are some links to bugs, vulnerabilities and full exploits based on uses of uninitialized memory. </div><div class="">The list is not exhaustive by any means, and we keep finding them every day. </div><div class="">The problem is, of course, that we don't find all of them. </div></div></div></div></blockquote><div class=""><br class=""></div><div class="">Neat! It’s as if you had that list already, and were waiting to send it out.</div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><span id="m_-7412996687227760023gmail-docs-internal-guid-380b8a4b-7fff-a69b-17ef-bcc78841f0c4" class=""><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Linux kernel: </span><a href="https://github.com/google/kmsan/wiki/KMSAN-Trophies" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">KMSAN trophies</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://groups.google.com/forum/#!searchin/syzkaller-bugs/subject$3Akmsan" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">more trophies</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVEs</span></a></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Chrome: </span><a href="https://bugs.chromium.org/p/chromium/issues/list?can=1&q=Stability%3DMemory-MemorySanitizer+-status%3ADuplicate+-status%3AWontFix+Use-of-uninitialized-value" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">700+ UMRs Chromium found by fuzzing</span></a><br class=""></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Android: userspace: </span><a href="https://android.googlesource.com/platform/frameworks/av/+/d6bd6091686dd7ea3b410fb8dce3794429066453" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2018-9345</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">/</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2018-9346</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://android.googlesource.com/platform/system/media/+/12df4b05fd918d836636e21f783df7ad9d5e17a3" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2018-9420</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://android.googlesource.com/platform/frameworks/native/+/ff2171f2460e3a6d3443ab957732b8b7d4831d40" target="_blank" class=""><span class="" style="font-family: Roboto; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2018-9421</span></a><span class="" style="font-family: Roboto; color: rgb(32, 33, 36); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">,</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> </span><a href="https://android.googlesource.com/platform/frameworks/av/+/86141f9df21cb8ac91f9cc9804f5b75d26d98996" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2017-13252</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">; kernel: </span><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8" target="_blank" class=""><span class="" style="font-family: Roboto; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2017-9075</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83eaddab4378db256d00d295bda6ca997cd13a52" target="_blank" class=""><span class="" style="font-family: Roboto; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2017-9076</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, 12% of all bugs (</span><a href="https://www.blackhat.com/docs/us-16/materials/us-16-Kralevich-The-Art-Of-Defense-How-Vulnerabilities-Help-Shape-Security-Features-And-Mitigations-In-Android.pdf" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">as of 2016</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">). </span></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">OSS: </span><a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=use-of-uninitialized-value&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">700+ bugs in various OSS projects found by fuzzing</span></a></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Project Zero (P0) findings: ~</span><a href="https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=uninitialized+&colspec=ID+Status+Restrict+Reported+Vendor+Product+Finder+Summary&cells=ids" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">139 total</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">. </span></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Mozilla: </span><a href="https://bugzilla.mozilla.org/buglist.cgi?keywords=csectype-uninitialized%2C%20&keywords_type=allwords&resolution=FIXED&resolution=INVALID&resolution=WONTFIX&resolution=INACTIVE&resolution=DUPLICATE&resolution=WORKSFORME&resolution=INCOMPLETE&resolution=SUPPORT&resolution=EXPIRED&resolution=MOVED&query_format=advanced&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">100+ bugs</span></a></div></li><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf" target="_blank" class="" style="font-family: Arial, Helvetica, sans-serif;"><span class="" style="font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">"Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking"</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; color: rgb(34, 34, 34); vertical-align: baseline;">Sections 3.5 and 6.1.2</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">)</span><br class=""></div></li></ul></span></div><div class=""><span id="m_-7412996687227760023gmail-docs-internal-guid-ed63a7e0-7fff-decb-5c90-d619effa81c1" class=""><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Leaks of sensitive information</span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Linux kernel: </span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1431" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1431</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">: disclosure of large chunks of kernel memory.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://alephsecurity.com/vulns/aleph-2016005" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">https://alephsecurity.com/vulns/aleph-2016005</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">: Android, </span><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">uninitialized kernel memory leak over USB</span></div></li></ul><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Windows kernel: </span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://menschers.com/2018/10/30/what-is-cve-2018-8493/" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2018-8493</span></a></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1276" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1276</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2017-8685) - a continuous leak of 1kB from the Windows kernel stack, discovered by diffing win32k.sys between Windows 7 and Windows 10. It enabled an attacker to e.g. perform system-wide keyboard sniffing to some extent. Mentioned in </span><a href="https://googleprojectzero.blogspot.com/2017/10/using-binary-diffing-to-discover.html" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0 blog</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> post about bindiffing.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1352" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1352</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2017-11817) - a leak of ~4kB of uninitialized Windows kernel pool memory to NTFS metadata upon mounting the file system, without requiring user interaction. Made it possible to "exfiltrate" kernel memory from a powered-on but locked Windows machine through the USB port.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1500" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1500</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2018-1037) - 3 kB of uninitialized user-mode heap memory leaking from Microsoft build servers into a small percentage of .pdb symbol files publicly available through the Microsoft Symbol Server.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1267" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1267</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2017-8680) - disclosure of a controlled number of uninitialized bytes from the Windows kernel pool.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=176" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#176</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#248</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=259" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#259</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=277" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#277</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=281" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#281</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2015-0089, many other CVEs) - a disclosure of uninitialized user/kernel-mode heap memory in the OpenType glyph outline VM program, which affected the Windows kernel, user-mode DirectWrite and WPF components, Adobe Reader, and Oracle Java. Discussed in detail in a </span><a href="https://googleprojectzero.blogspot.com/2015/09/enabling-qr-codes-in-internet-explorer.html" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0 blog post</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">.</span></div></li></ul><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">User space:</span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> </span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"><a href="https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html" target="_blank" class="">*bleed continues</a></span></div></li></ul></ul><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Leaks of pointers (allows further attacks)</span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Windows kernel:</span><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> </span><br class=""></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=825" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#825</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2016-3262) - rendering of uninitialized heap bytes as pixels in EMF files parsed by user-mode Microsoft GDI+. Considered a WontFix by Microsoft until it turned out that Office Online was vulnerable and could leak memory from Microsoft servers, at which point they fixed the bug.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=480" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#480</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2015-2433) - a 0-day Windows kernel memory disclosure that was discovered in the Hacking Team dump in July 2015, and was independently found by ex-P0 member Matt Tait. It was used in an exploit chain to defeat KASLR and reveal the base address of win32k.sys.</span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1153" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1153</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1159" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1159</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1191" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1191</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1268" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1268</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1275" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1275</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, </span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1311" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1311</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> - various examples of relatively long (~100+ bytes) continuous disclosure of Windows kernel memory, which could be easily used to de-aslr the kernel, leak stack cookies etc.</span></div></li></ul><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">MacOS kernel: </span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-2357" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2017-2357</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">, CVE-2017-{13836, 13840, 13841, 13842}, </span></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1410" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#1410</span></a></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">(</span><a href="https://www.google.com/search?q=%22An+application+may+be+able+to+read+restricted+memory%22+inurl%3Asupport.apple.com&oq=%22An+application+may+be+able+to+read+restricted+memory%22+inurl%3Asupport.apple.com&aqs=chrome..69i57.2441j0j7&sourceid=chrome&ie=UTF-8" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">more of such</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">)</span></div></li></ul><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">User space:</span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=711" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#711</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">: Android, uninitialized heap memory which could help break ASLR in a privileged process</span></div></li></ul></ul><li dir="ltr" class="" style="list-style-type: disc; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Privilege escalation / code execution</span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Linux kernel: </span><a href="https://groups.google.com/forum/#!msg/syzkaller-bugs/j5_w9tlG5Fo/esrHTJw0AwAJ" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">unauthorized access to IPC objects</span></a></div></li><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">Windows kernel: </span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://blogs.technet.microsoft.com/srd/2017/06/20/tales-from-the-msrc-from-pixels-to-poc/" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2016-0040</span></a></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=177" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#177</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (CVE-2015-0090) - off-by-one in the OpenType glyph outline VM in the Windows kernel, which led to arbitrary read/write thanks to accessing uninitialized pointers. Successfully exploited for privilege escalation on Windows 8.1 64-bit, as shown </span><a href="https://www.youtube.com/watch?v=FVBSvjYQgq8" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">here</span></a><span class="" style="color: rgb(34, 34, 34); font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">.</span></div></li></ul><li dir="ltr" class="" style="list-style-type: circle; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">MacOS kernel: </span></div></li><ul class="" style="margin-top: 0pt; margin-bottom: 0pt;"><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-2358" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2017-2358</span></a></div></li><li dir="ltr" class="" style="list-style-type: square; font-family: Arial; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><div class="" style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">P0</span><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=618" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">#618</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;"> (</span><a href="https://support.apple.com/en-us/HT205732" target="_blank" class=""><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">CVE-2016-1721</span></a><span class="" style="font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline;">): a local user may be able to execute arbitrary code with kernel privileges</span></div></li></ul></ul></ul></span></div></div></div></div></blockquote><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="gmail_quote"><div dir="ltr" class=""></div></div></div></blockquote><div class=""><div class=""><div class="gmail_quote"><br class=""></div></div></div><div><blockquote type="cite" class=""><div class="">On Nov 15, 2018, at 5:58 PM, Chandler Carruth <<a href="mailto:chandlerc@google.com" class="">chandlerc@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">I'm super excited about all of the non-zeroing options here. I'd actually like to mention some more options that I want to see explored (in future work):</div><div class=""><br class=""></div><div class="">1) An enhancement to the pattern suggestion:</div><div class=""><br class=""></div><div class="">I'd like variables to be initialized to one of N patterns (using the very nice pattern scheme you outline). The N patterns need to *include* zero. The selection of the pattern needs to be very hard to rely on. My suggestion would be to rotate between a shuffled list of patterns for each initialization in the function (even better to do this in LLVM after inlining etc). And shuffle the list of patterns using various inputs: the version of the compiler, some user-provided input (random seed?), and the (mangled) name of the function.</div></div></div></div></blockquote><div><br class=""></div><div>At a high level this is totally doable and pretty neat, I like it.</div><div><br class=""></div><div>Details:</div><div><ul class="MailOutline"><li class="">Why do you think that it’s important to do after inlining?</li><li class="">It seems like you want a “pattern memset” intrinsic, and we’d let it survive early optimizations? It would have to take in the type so it can treat pointers / FP different from other types. We’d then move the initialization logic from clang to whatever LLVM lowering pass. I guess we’d pass in some nonce too, which clang derives as you’ve suggested (user input, compiler version, mangled name).</li><li class="">Added benefit: non-clang frontends could use this.</li><li class="">I want to avoid making the builds non-reproducible, or rather I’d like users to opt-in to this.</li><li class="">I’m worried that this makes incremental software updates much harder, because the random values change so much. We probably need a way to “stabilize” the randomness.</li><li class="">Security-wise, this is still fairly predictable in that an attacker can disassemble their binary to see which values are where. Agreed it’s less reliable than infinite scream, and it likely is different for different builds. For a JIT it would be great.</li></ul></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">The reason I want this is that I think even all 0xAA can be relied upon inadvertently by programmers. As an example: it will reliably initialize booleans to `true`.</div><div class=""><br class=""></div><div class="">I would like to see something like this as the default instead of the all-0xAA option.</div></div></div></div></blockquote><div><br class=""></div><div>“Infinite scream” ;-)</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">2) An extension to this pattern (maybe call it "dynamic-pattern") would be to read the pattern (or some of the N patterns) from a buffer initialized at program start time.</div><div class=""><br class=""></div><div class="">While #2 may imply some overhead, it may be lower than expected -- copying memory is in some weird cases faster than materializing patterns and then setting memory. And it may have some advantages.</div></div></div></div></blockquote><div><br class=""></div><div>Totally agreed. Even just (random) byte-read + broadcast + store should be relatively cheap. I expect that we’d create some weak global that’s initialized with a low <font face="Courier" class="">init_priority</font>. The linker would make sure there’s just one of those. Each initialization could read a byte from that buffer chosen at compile time, different from the byte other initializations use.</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">All of that said:</div><div dir="ltr" class=""><br class=""></div><div dir="ltr" class="">On Thu, Nov 15, 2018 at 5:06 PM Tim Northover via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, 16 Nov 2018 at 00:42, JF Bastien <<a href="mailto:jfbastien@apple.com" target="_blank" class="">jfbastien@apple.com</a>> wrote:<br class="">
> Sounds fair?<br class="">
<br class="">
No, it doesn't. It's putting the entire burden on backend optimizers,<br class="">
with the goal of removing zero-init at some unspecified future date.<br class="">
It's nothing even remotelty approaching a compromise.<br class="">
<br class="">
The fragmentation issues need to be considered up front.<br class=""></blockquote><div class=""><br class=""></div><div class="">FWIW, I agree about the zero case. I'm deeply concerned about fragmentation here.</div><div class=""><br class=""></div><div class="">But I *also* really want to be able to get the data and measurements needed to address performance problems with non-zero initialization.</div><div class=""><br class=""></div><div class="">I would love to see a way to get the zero initialization behavior for performance testing, but *not* expose this as a supported flag to users. I can imagine many ways to do that. Tim, would that address your concerns? In that way, we could actually refuse to support the zero behavior long term by making it much more apparent that it is only intended to gather data.</div></div></div>
</div></blockquote></div><br class=""><div class="">I expected this to be the main sticking point, and I agree there’s a bunch of ways we can hide the option, or purposefully break in the future. I’m open to suggestions on which approach seems more palatable to people. I absolutely want zero-init for performance measurements in the near-medium term, though.</div><div class=""><br class=""></div></body></html>