On Wed, Apr 10, 2019 at 6:09 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Wed, Apr 10, 2019 at 6:18 AM Alexander Potapenko <glider@xxxxxxxxxx> wrote: > > > > This config option adds the possibility to initialize newly allocated > > pages and heap objects with a 0xAA pattern. > > There's already a number of places where allocations are initialized > > based on the presence of __GFP_ZERO flag. We just change this code so > > that under CONFIG_INIT_ALL_HEAP these allocations are always initialized > > with either 0x00 or 0xAA depending on the __GFP_ZERO. > > Why not just make __GFP_ZERO unconditional instead? This looks like > it'd be simpler and not need arch-specific implementation? Right, but it would mean we can only initialize with 0x00 pattern. I believe that for testing purposes a nonzero pattern is better, because it'll not only assure the execution is deterministic, but will also uncover logic bugs earlier (see the discussion at https://reviews.llvm.org/D54604?id=174471) For hardening purposes the pattern shouldn't matter much. If you think arch-specific code is too much of a trouble, we could implement clear_page_pattern() using memset() on every architecture, but allow the user to choose between slow (0xAA) and production (0x00) modes. > -- > Kees Cook -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
