This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug middle-end/69976] Zero the local stack on function exit
- From: "jakub at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Fri, 04 Mar 2016 13:37:33 +0000
- Subject: [Bug middle-end/69976] Zero the local stack on function exit
- Auto-submitted: auto-generated
- References: <bug-69976-4 at http dot gcc dot gnu dot org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69976
--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #5)
> From a user's perspective, would this be better as a property of the data
> (or of its *type*), rather than of the function? i.e. have the user mark
> the on-stack buffer as security-sensitive, rather than mark the function as
> a whole?
>
> i.e. something like
>
> char __attribute__((security_sensitive)) buf[16];
>
> Then the compiler could:
> (a) "do the right thing" for any functions containing such data: e.g.
> automatically clear the array after the last use, and
> (b) issue an error if the user tries to create a global variable of such a
> type, and
> (c) potentially suppress various optimizations on the data
But even if you clear the sensitive data from the stack array, it might still
live in the registers from which you stored the sensitive data into that array
etc. I think per-function is better here over per-data.