2929 prompt "Initialize kernel stack variables at function entry"
3030 default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
3131 default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
32+ default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
3233 default INIT_STACK_NONE
3334 help
3435 This option enables initialization of stack variables at
@@ -39,11 +40,11 @@ choice
3940 syscalls.
4041
4142 This chooses the level of coverage over classes of potentially
42- uninitialized variables. The selected class will be
43+ uninitialized variables. The selected class of variable will be
4344 initialized before use in a function.
4445
4546 config INIT_STACK_NONE
46- bool "no automatic initialization (weakest)"
47+ bool "no automatic stack variable initialization (weakest)"
4748 help
4849 Disable automatic stack variable initialization.
4950 This leaves the kernel vulnerable to the standard
8081 and is disallowed.
8182
8283 config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
83- bool "zero-init anything passed by reference (very strong)"
84+ bool "zero-init everything passed by reference (very strong)"
8485 depends on GCC_PLUGINS
8586 depends on !(KASAN && KASAN_STACK)
8687 select GCC_PLUGIN_STRUCTLEAK
@@ -91,33 +92,44 @@ choice
9192 of uninitialized stack variable exploits and information
9293 exposures.
9394
95+ As a side-effect, this keeps a lot of variables on the
96+ stack that can otherwise be optimized out, so combining
97+ this with CONFIG_KASAN_STACK can lead to a stack overflow
98+ and is disallowed.
99+
94100 config INIT_STACK_ALL_PATTERN
95- bool "0xAA -init everything on the stack (strongest)"
101+ bool "pattern -init everything (strongest)"
96102 depends on CC_HAS_AUTO_VAR_INIT_PATTERN
97103 help
98- Initializes everything on the stack with a 0xAA
99- pattern . This is intended to eliminate all classes
100- of uninitialized stack variable exploits and information
101- exposures, even variables that were warned to have been
102- left uninitialized.
104+ Initializes everything on the stack (including padding)
105+ with a specific debug value . This is intended to eliminate
106+ all classes of uninitialized stack variable exploits and
107+ information exposures, even variables that were warned about
108+ having been left uninitialized.
103109
104110 Pattern initialization is known to provoke many existing bugs
105111 related to uninitialized locals, e.g. pointers receive
106- non-NULL values, buffer sizes and indices are very big.
112+ non-NULL values, buffer sizes and indices are very big. The
113+ pattern is situation-specific; Clang on 64-bit uses 0xAA
114+ repeating for all types and padding except float and double
115+ which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
116+ repeating for all types and padding.
107117
108118 config INIT_STACK_ALL_ZERO
109- bool "zero-init everything on the stack (strongest and safest)"
119+ bool "zero-init everything (strongest and safest)"
110120 depends on CC_HAS_AUTO_VAR_INIT_ZERO
111121 help
112- Initializes everything on the stack with a zero
113- value. This is intended to eliminate all classes
114- of uninitialized stack variable exploits and information
115- exposures, even variables that were warned to have been
116- left uninitialized.
117-
118- Zero initialization provides safe defaults for strings,
119- pointers, indices and sizes, and is therefore
120- more suitable as a security mitigation measure.
122+ Initializes everything on the stack (including padding)
123+ with a zero value. This is intended to eliminate all
124+ classes of uninitialized stack variable exploits and
125+ information exposures, even variables that were warned
126+ about having been left uninitialized.
127+
128+ Zero initialization provides safe defaults for strings
129+ (immediately NUL-terminated), pointers (NULL), indices
130+ (index 0), and sizes (0 length), so it is therefore more
131+ suitable as a production security mitigation than pattern
132+ initialization.
121133
122134endchoice
123135
0 commit comments