[Bug middle-end/69976] New: Zero the local stack on function exit; don't optimize out memset before return

daniel.gutson at tallertechnologies dot com gcc-bugzilla@gcc.gnu.org
Fri Feb 26 10:13:00 GMT 2016 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69976

            Bug ID: 69976
           Summary: Zero the local stack on function exit; don't optimize
                    out memset before return
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: daniel.gutson at tallertechnologies dot com
  Target Milestone: ---

Existing security practices recommend to  the arrays of automatic storage
duration (e.g. by zeroing them) upon function exit.
This could be done by calling memset; however, gcc seems to optimize out the
call to memset before the return statement (or when the memset call is the last
statement). This forces secure-sensitive applications to implement their own
memset, usually a copy of it.
I suggest the following enhancement:
-provide two new attributes: 'clear_stack' and 'allow_ending_memset'
-provide two new flags: -fclear-stack and -Wdirty-stack
-logic: by using -fclear-stack, the following modes can be specified:
     -fclear-stack=none: current behavior, memset is optimized out
     -fclear-stack=attribute: user controls the behavior per function basis by
using the attributes; 'clear_stack' causes gcc to add the memset call at the
end of the function (no control flow analysis recommended), whereas
'allow_ending_memset' prevents gcc to optimize out the call to memset enabling
the user to call it. Specifying both attributes in the same function should not
be allowed.
     -fclear-stack=auto: instructs gcc to emit a call to memset at the end of
functions having arrays of automatic storage duration (zeroing those arrays
only). The 'clear_stack' attribute can be used in this mode to force the stack
zeroing on particular functions overriding the decision logic
     -fclear-stack=always: instructs gcc to emit a call to memset at the end of
every function having a nonempty stack.
     -Wdirty-stack: only to be used with -fclear-stack=attribute, causes gcc to
emit a warning message when a function has at least an array of static storage
duration but is not zeroed at the end (either because 'clear_stack' wasn't
specified or because there is no memset call statement; control flow analysis
similar to the one used by detecting paths with no return statement on non
void-return functions could be used).

Please assign this to andres.tiraboschi@tallertechnologies.com

More information about the Gcc-bugs mailing list