On Tue, Jan 11, 2022 at 05:00:57PM -0500, Carlos O'Donell wrote: > On 1/11/22 13:00, Steve Grubb wrote: > > Hello, > > > > On Wednesday, January 5, 2022 5:05:26 PM EST Ben Cotton wrote: > >> https://fedoraproject.org/wiki/Changes/GNUToolchainF36 > >> > >> == Summary == > >> Update the Fedora 36 GNU Toolchain to gcc 12 and glibc 2.35. > >> > >> The gcc 12 is currently under development and will be included in > >> Fedora 36 upon release. The glibc 2.35 change will be tracked in this > >> top-level GNU Toolchain system-wide update. > > > > Reading through the GCC 12 changes, there is a significant new feature to GCC > > that would appear to be useful for security. There is a new: > > > > -ftrivial-auto-var-init=zero > > > > flag that initializes all stack variables to zero. Zero being a nice safe > > value that makes programs crash instead of being exploitable. > > > > Are there plans to enable this flag so that all applications, but more > > importantly the kernel, are hardened against uninitialized stack variables? > > This is one of the major classes of security bugs that could potentially be > > eliminated during this mass rebuild. > > There are currently no plans that I am aware of that involve turning on > '-ftrivial-auto-var-init=zero' in the short term for Fedora. CC'ing Jakub > and Marek to comment. Also not aware of any plans to always enable it. > It is something that should be discussed, turned on in Rawhide first, > and likely via redhat-rpm-config default flags first, and then we should > fix any fallout. > > I'd only be comfortable if we did it early and worked through the consequences. > So it could be something to discuss for F37. Right. It reminds me of MALLOC_PERTURB_, but for automatic variables. Obviously it's always important to measure its slowdown (maybe run a SPEC benchmark) / compile time / stack usage. Some of it has been done: https://gcc.gnu.org/pipermail/gcc-patches/2021-January/562872.html but that was an early version of the patch. Still, it seems like it'd be acceptable. It's a new feature, only present in GCC 12 (which hasn't been released as of now), so I think it needs more testing before it could be (considered to be) enabled by default. A good thing is that it doesn't suppress the -Wuninitialized warning so you still get a chance to fix your bugs. It also comes with an attribute to keep variables uninitialized even when the options is turned on. >From what I've seen its the kernel that would most benefit from the option, and it looks like it already has support for it: CONFIG_INIT_STACK_ALL_ZERO CONFIG_INIT_STACK_ALL_PATTERN so maybe it's enough to enable it for the kernel. Or start there, see how it does, then add it to our hardening flags. -- Marek Polacek • Red Hat, Inc. • 300 A St, Boston, MA _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
