[Bug middle-end/69976] New: Zero the local stack on function exit; don't optimize out memset before return
daniel.gutson at tallertechnologies dot com
gcc-bugzilla@gcc.gnu.org
Fri Feb 26 10:13:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69976
Bug ID: 69976
Summary: Zero the local stack on function exit; don't optimize
out memset before return
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: enhancement
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: daniel.gutson at tallertechnologies dot com
Target Milestone: ---
Existing security practices recommend to the arrays of automatic storage
duration (e.g. by zeroing them) upon function exit.
This could be done by calling memset; however, gcc seems to optimize out the
call to memset before the return statement (or when the memset call is the last
statement). This forces secure-sensitive applications to implement their own
memset, usually a copy of it.
I suggest the following enhancement:
-provide two new attributes: 'clear_stack' and 'allow_ending_memset'
-provide two new flags: -fclear-stack and -Wdirty-stack
-logic: by using -fclear-stack, the following modes can be specified:
-fclear-stack=none: current behavior, memset is optimized out
-fclear-stack=attribute: user controls the behavior per function basis by
using the attributes; 'clear_stack' causes gcc to add the memset call at the
end of the function (no control flow analysis recommended), whereas
'allow_ending_memset' prevents gcc to optimize out the call to memset enabling
the user to call it. Specifying both attributes in the same function should not
be allowed.
-fclear-stack=auto: instructs gcc to emit a call to memset at the end of
functions having arrays of automatic storage duration (zeroing those arrays
only). The 'clear_stack' attribute can be used in this mode to force the stack
zeroing on particular functions overriding the decision logic
-fclear-stack=always: instructs gcc to emit a call to memset at the end of
every function having a nonempty stack.
-Wdirty-stack: only to be used with -fclear-stack=attribute, causes gcc to
emit a warning message when a function has at least an array of static storage
duration but is not zeroed at the end (either because 'clear_stack' wasn't
specified or because there is no memset call statement; control flow analysis
similar to the one used by detecting paths with no return statement on non
void-return functions could be used).
Please assign this to andres.tiraboschi@tallertechnologies.com
More information about the Gcc-bugs
mailing list