This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug middle-end/69976] Zero the local stack on function exit

From: "jakub at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Fri, 04 Mar 2016 13:37:33 +0000
Subject: [Bug middle-end/69976] Zero the local stack on function exit
Auto-submitted: auto-generated
References: <bug-69976-4 at http dot gcc dot gnu dot org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69976

--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #5)
> From a user's perspective, would this be better as a property of the data
> (or of its *type*), rather than of the function?  i.e. have the user mark
> the on-stack buffer as security-sensitive, rather than mark the function as
> a whole?
>  
> i.e. something like
> 
>   char __attribute__((security_sensitive)) buf[16];
> 
> Then the compiler could:
> (a) "do the right thing" for any functions containing such data: e.g.
> automatically clear the array after the last use, and
> (b) issue an error if the user tries to create a global variable of such a
> type, and
> (c) potentially suppress various optimizations on the data

But even if you clear the sensitive data from the stack array, it might still
live in the registers from which you stored the sensitive data into that array
etc.  I think per-function is better here over per-data.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]