Hi, Kees,
On Jun 18, 2021, at 6:47 PM, Kees cook
<keesc...@chromium.org<mailto:keesc...@chromium.org>> wrote:
On Wed, Jun 16, 2021 at 07:39:02PM +0000, Qing Zhao wrote:
So, the major question now is:
Is one single repeatable pattern enough for pattern initialization for all
different types of auto variables?
If YES, then the implementation for pattern initialization will be much easier
and simpler
as you pointed out. And will save me a lot of pain to implement this part.
If NO, then we have to keep the current complicate implementation since it
provides us
the flexibility to assign different patterns to different types.
Honestly, I don’t have a good justification on this question myself.
The previous references I have so far are the current behavior of CLANG and
Microsoft compiler.
For your reference,
. CLANG uses different patterns for INTEGER (0xAAAAAAAA) and FLOAT
(0xFFFFFFFF) and 32-bit pointer (0x000000AA)
https://reviews.llvm.org/D54604
. Microsoft uses different patterns for INTEGERS ( 0xE2), FLOAT (1.0)
https://msrc-blog.microsoft.com/2020/05/13/solving-uninitialized-stack-memory-on-windows/
My understanding from CLANG’s comment is, the patterns are easier to crash the
program for the certain type, therefore easier to
catch any potential bugs.
Right, this is the justification for the different patterns. I am
fine with a static value for the first version of this functionality,
as long as it's a non-canonical virtual memory address when evaluated
as a pointer (so that the pattern can't be made to aim at a legitimate
fixed allocatable address in memory).
Just searched online,
(https://en.wikipedia.org/wiki/X86-64#Virtual_address_space_details)
===
Canonical form addresses run from 0 through 00007FFF'FFFFFFFF, and from
FFFF8000'00000000 through FFFFFFFF'FFFFFFFF, for a total of 256 TB of usable
virtual address space.
===
So, if “pattern value” is “0xFFFFFFFFFFFFFFFF”, then it’s a valid canonical
virtual memory address. However, for most OS, “0xFFFFFFFFFFFFFFFF” should be
not in user space.
My question is, is “0xFFFFFFFFFFFFFFFFF” good for pointer? Or
“0xAAAAAAAAAAAAAAAA” better?
Thanks.
Qing
Don’t know why Microsoft chose the pattern like this.
So, For GCC, what should we do on the pattern initializations, shall we choose
one single repeatable pattern for all the types as you suggested,
Or chose different patterns for different types as Clang and Microsoft
compiler’s behavior?
Kees, do you have any comment on this?
How did Linux Kernel use -ftrivial-auto-var-init=pattern feature of CLANG?
It's just used as-is from the compiler, and recommended for "debug
builds".
--
Kees Cook
