On Tuesday, January 11, 2022 7:00:22 PM CET Steve Grubb wrote: > Hello, > > On Wednesday, January 5, 2022 5:05:26 PM EST Ben Cotton wrote: > > > https://fedoraproject.org/wiki/Changes/GNUToolchainF36 > > > > == Summary == > > Update the Fedora 36 GNU Toolchain to gcc 12 and glibc 2.35. > > > > The gcc 12 is currently under development and will be included in > > Fedora 36 upon release. The glibc 2.35 change will be tracked in this > > top-level GNU Toolchain system-wide update. > > > Reading through the GCC 12 changes, there is a significant new feature to > GCC that would appear to be useful for security. There is a new: > > -ftrivial-auto-var-init=zero > > flag that initializes all stack variables to zero. Zero being a nice safe > value that makes programs crash instead of being exploitable. > > Are there plans to enable this flag so that all applications, but more > importantly the kernel, are hardened against uninitialized stack variables? > > This is one of the major classes of security bugs that could potentially > be eliminated during this mass rebuild. I don't know if it is still the case, but OpenSSL used uninitialized stack variables on purpose! If you initialize them to zero might end up with the same disaster as Debian had some years ago! https://www.debian.org/security/2008/dsa-1571 There be dragons! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure