[cfe-dev] [EXTERNAL] Re: making -ftrivial-auto-var-init=zero a first-class option

Kees Cook via cfe-dev cfe-dev at lists.llvm.org
Wed Apr 22 10:58:06 PDT 2020


On Wed, Apr 22, 2020 at 05:48:51PM +0000, Joe Bialek wrote:
> How are you going to efficiently check that something wasn't initialized
> at runtime? In a way that results in better codegen than just doing
> pattern initialization? I'm happy to see a solution but I don't see how
> this can be done in a way that doesn't involve metadata and checks. If
> you could do this at compile-time, you'd just issue a warning rather
> than let the issue hang around for someone to discover at runtime.

I share this skepticism. ;)

> Also not clear to me what the OS is expected to do with this
> trap. We have a number of information leak vulnerabilities where force
> initialization kills the bug silently. If you have a non-recoverable
> trap you are now turning these bugs in to kernel crashes which is sort
> of a crappy user experience compared to just silently fixing the bug and
> allowing the OS to work as normal. As it is right now, we can just ignore
> the issues because they have no security or reliability impact which is
> great because it saves us time and money not having to service things,
> and customers don't have to install a code update either.

I don't think the intention is for it to be non-recoverable. (e.g.
earlier language was "if the execution continues, it would read zero")

-- 
Kees Cook


More information about the cfe-dev mailing list