lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 11 Apr 2019 10:07:14 -0700
From:   Kees Cook <>
To:     Masahiro Yamada <>
Cc:     Alexander Potapenko <>,
        Nick Desaulniers <>,
        Kostya Serebryany <>,
        Dmitry Vyukov <>,
        Sandeep Patil <>,
        Laura Abbott <>,
        Randy Dunlap <>,
        Alexander Popov <>,
        Michal Marek <>,
        Emese Revfy <>,
        James Morris <>,
        "Serge E. Hallyn" <>,
        Linux Kbuild mailing list <>,
        Linux Kernel Mailing List <>,
        linux-security-module <>,
        Kernel Hardening <>
Subject: Re: [PATCH 3/3] kbuild: Implement Clang's stack initialization

On Thu, Apr 11, 2019 at 1:06 AM Masahiro Yamada
<> wrote:
> On Thu, Apr 11, 2019 at 1:16 AM Kees Cook <> wrote:
> >
> > CONFIG_INIT_STACK_ALL turns on stack initialization based on
> > -ftrivial-auto-var-init in Clang builds and on
> > -fplugin-arg-structleak_plugin-byref-all in GCC builds.
> Is CONFIG_INIT_STACK_ALL wired up to GCC plugin in any way?
> I could not understand it from the code.

No, it's only available under Clang. Clang is all-or-nothing, and the
GCC plugin has a degrees up to "all passed by reference" which isn't
truly "all" (i.e. Clang will initialize variables that aren't passed
by reference and trigger a compiler warning about being

> >  choice
> >         prompt "Initialize kernel stack variables at function entry"
> >         depends on CC_HAS_AUTO_VAR_INIT || GCC_PLUGINS
> > +       default INIT_STACK_ALL if CC_HAS_AUTO_VAR_INIT
> Why should this be enabled by default?
> Ins't it a performance regression
> since it inserts instructions in function prologue?

There are very few users of Clang right now (mainly Android), so I
figured it'd be nice to start Clang builds from a "protected by
default" here, especially given Linus's thoughts on making this always
happen[1]. I don't want to do it for GCC yet, since that would likely
come as a huge surprise to everyone else. :) But I'm happy to change
this, of course.



Kees Cook

Powered by blists - more mailing lists