This is an archive of the discontinued LLVM Phabricator instance.

Differential D54473

[sanitizers] Initial implementation for -fsanitize=init-locals
AbandonedPublic

Authored by glider on Nov 13 2018, 7:16 AM.

Details

Reviewers
kcc
rjmccall
rsmith
Summary

This patch adds a new feature, -fsanitize=init-locals, which generates zero initializers for uninitialized local variables.

There's been discussions in the security community about the impact of zero-initializing all locals to prevent information leaks. The new feature shall help evaluating the pros and cons of such an approach.

Credits for the code go to Daniel Micay (original patch is at https://github.com/AndroidHardeningArchive/platform_external_clang/commit/776a0955ef6686d23a82d2e6a3cbd4a6a882c31c)

Diff Detail

Event Timeline

glider created this revision.Nov 13 2018, 7:16 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptNov 13 2018, 7:16 AM
lebedev.ri added a subscriber: lebedev.ri.Nov 13 2018, 7:21 AM
lebedev.ri added inline comments.
include/clang/Basic/Sanitizers.def
163

Unless i'm mistaken, I suspect you may see some surprising behavior here, unfortunately.
Bug 39425 - SanitizerOrdinal is out of bits

kcc added a comment.Nov 13 2018, 12:17 PM

This new flag inhibits the warnings from -Wuninitialized, right?
While this is fine for experimenting (and I want to have this in ToT to enable wide experimentation)
we should clearly state (in the comments) that the final intent is to make the feature work together with -Wuninitialized.

Another thing that we will need (and not necessary in the first change) is to have fine grained controls over what we zero-initialize.
We may want to make separate decisions for pointer/non-pointer scalars, PODs, arrays of {scalars, pointers, PODs}, etc.

glider added a comment.Nov 14 2018, 3:43 AM
In D54473#1297460, @kcc wrote:

This new flag inhibits the warnings from -Wuninitialized, right?
While this is fine for experimenting (and I want to have this in ToT to enable wide experimentation)
we should clearly state (in the comments) that the final intent is to make the feature work together with -Wuninitialized.

No, as far as I can see, the warnings from -Wuninitialized are still present (see the test).

Another thing that we will need (and not necessary in the first change) is to have fine grained controls over what we zero-initialize.
We may want to make separate decisions for pointer/non-pointer scalars, PODs, arrays of {scalars, pointers, PODs}, etc.

Ok, noted.

glider added inline comments.Nov 14 2018, 5:18 AM
include/clang/Basic/Sanitizers.def
163

Um, this is unfortunate.
We don't strictly need this feature to live under -fsanitize= flag, although having the corresponding attribute could've been handy.

kcc added a comment.Nov 15 2018, 6:25 PM

I think you can safely abandon this change in favor of https://reviews.llvm.org/D54604 -- please join the review there.

lebedev.ri mentioned this in D54604: Automatic variable initialization.Nov 16 2018, 2:28 AM
jfb added a subscriber: jfb.Nov 16 2018, 10:24 AM
vitalybuka added a subscriber: vitalybuka.Nov 16 2018, 1:46 PM
glider abandoned this revision.Nov 19 2018, 8:28 AM
emaste added a subscriber: emaste.Nov 20 2018, 1:33 PM

Revision Contents

PathSize
include/
clang/
Basic/
3 lines
lib/
CodeGen/
14 lines
Driver/
2 lines
test/
CodeGen/
42 lines

Diff 173841

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 153 Lines▼ Show 20 Lines
// EfficiencySanitizer // EfficiencySanitizer
SANITIZER("efficiency-cache-frag", EfficiencyCacheFrag) SANITIZER("efficiency-cache-frag", EfficiencyCacheFrag)
SANITIZER("efficiency-working-set", EfficiencyWorkingSet) SANITIZER("efficiency-working-set", EfficiencyWorkingSet)
// Meta-group only used internally. // Meta-group only used internally.
SANITIZER_GROUP("efficiency-all", Efficiency, SANITIZER_GROUP("efficiency-all", Efficiency,
EfficiencyCacheFrag | EfficiencyWorkingSet) EfficiencyCacheFrag | EfficiencyWorkingSet)
// Initialize local variables.
SANITIZER("init-locals", InitLocals)
lebedev.riUnsubmitted
Not Done
ReplyInline Actions

Unless i'm mistaken, I suspect you may see some surprising behavior here, unfortunately.
Bug 39425 - SanitizerOrdinal is out of bits

lebedev.ri: Unless i'm mistaken, I suspect you may see some surprising behavior here, unfortunately.
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Um, this is unfortunate.
We don't strictly need this feature to live under -fsanitize= flag, although having the corresponding attribute could've been handy.

glider: Um, this is unfortunate. We don't strictly need this feature to live under -fsanitize= flag…
// Scudo hardened allocator // Scudo hardened allocator
SANITIZER("scudo", Scudo) SANITIZER("scudo", Scudo)
// Magic group, containing all sanitizers. For example, "-fno-sanitize=all" // Magic group, containing all sanitizers. For example, "-fno-sanitize=all"
// can be used to disable all the sanitizers. // can be used to disable all the sanitizers.
SANITIZER_GROUP("all", All, ~0ULL) SANITIZER_GROUP("all", All, ~0ULL)
#undef SANITIZER #undef SANITIZER
#undef SANITIZER_GROUP #undef SANITIZER_GROUP

lib/CodeGen/CGDecl.cpp

Show First 20 LinesShow All 1,428 Lines▼ Show 20 Lines if (!Init &&
QualType::PDIK_Struct) { QualType::PDIK_Struct) {
LValue Dst = MakeAddrLValue(emission.getAllocatedAddress(), type); LValue Dst = MakeAddrLValue(emission.getAllocatedAddress(), type);
if (emission.IsEscapingByRef) if (emission.IsEscapingByRef)
drillIntoBlockVariable(*this, Dst, &D); drillIntoBlockVariable(*this, Dst, &D);
defaultInitNonTrivialCStructVar(Dst); defaultInitNonTrivialCStructVar(Dst);
return; return;
} }
if (isTrivialInitializer(Init)) bool trivial = isTrivialInitializer(Init);
if (trivial && !getLangOpts().Sanitize.has(SanitizerKind::InitLocals))
return; return;
// Check whether this is a byref variable that's potentially // Check whether this is a byref variable that's potentially
// captured and moved by its own initializer. If so, we'll need to // captured and moved by its own initializer. If so, we'll need to
// emit the initializer first, then copy into the variable. // emit the initializer first, then copy into the variable.
bool capturedByInit = emission.IsEscapingByRef && isCapturedBy(D, Init); bool capturedByInit = emission.IsEscapingByRef && isCapturedBy(D, Init);
Address Loc = Address Loc =
capturedByInit ? emission.Addr : emission.getObjectAddress(*this); capturedByInit ? emission.Addr : emission.getObjectAddress(*this);
bool constantAggregate = emission.IsConstantAggregate;
llvm::Constant *constant = nullptr; llvm::Constant *constant = nullptr;
if (emission.IsConstantAggregate || D.isConstexpr()) { if (trivial) {
QualType Ty = D.getType();
constant = CGM.EmitNullConstant(Ty);
if (Ty->isArrayType() || Ty->isRecordType())
constantAggregate = true;
} else if (emission.IsConstantAggregate || D.isConstexpr()) {
assert(!capturedByInit && "constant init contains a capturing block?"); assert(!capturedByInit && "constant init contains a capturing block?");
constant = ConstantEmitter(*this).tryEmitAbstractForInitializer(D); constant = ConstantEmitter(*this).tryEmitAbstractForInitializer(D);
} }
if (!constant) { if (!constant) {
LValue lv = MakeAddrLValue(Loc, type); LValue lv = MakeAddrLValue(Loc, type);
lv.setNonGC(true); lv.setNonGC(true);
return EmitExprAsInit(Init, &D, lv, capturedByInit); return EmitExprAsInit(Init, &D, lv, capturedByInit);
} }
if (!emission.IsConstantAggregate) { if (!constantAggregate) {
// For simple scalar/complex initialization, store the value directly. // For simple scalar/complex initialization, store the value directly.
LValue lv = MakeAddrLValue(Loc, type); LValue lv = MakeAddrLValue(Loc, type);
lv.setNonGC(true); lv.setNonGC(true);
return EmitStoreThroughLValue(RValue::get(constant), lv, true); return EmitStoreThroughLValue(RValue::get(constant), lv, true);
} }
// If this is a simple aggregate initialization, we can optimize it // If this is a simple aggregate initialization, we can optimize it
// in various ways. // in various ways.
▲ Show 20 LinesShow All 686 LinesShow Last 20 Lines

lib/Driver/ToolChain.cpp

Show First 20 LinesShow All 813 Lines▼ Show 20 Lines
SanitizerMask ToolChain::getSupportedSanitizers() const { SanitizerMask ToolChain::getSupportedSanitizers() const {
// Return sanitizers which don't require runtime support and are not // Return sanitizers which don't require runtime support and are not
// platform dependent. // platform dependent.
using namespace SanitizerKind; using namespace SanitizerKind;
SanitizerMask Res = (Undefined & ~Vptr & ~Function) | (CFI & ~CFIICall) | SanitizerMask Res = (Undefined & ~Vptr & ~Function) | (CFI & ~CFIICall) |
CFICastStrict | UnsignedIntegerOverflow | CFICastStrict | UnsignedIntegerOverflow |
ImplicitConversion | Nullability | LocalBounds; ImplicitConversion | Nullability | LocalBounds | InitLocals;
if (getTriple().getArch() == llvm::Triple::x86 || if (getTriple().getArch() == llvm::Triple::x86 ||
getTriple().getArch() == llvm::Triple::x86_64 || getTriple().getArch() == llvm::Triple::x86_64 ||
getTriple().getArch() == llvm::Triple::arm || getTriple().getArch() == llvm::Triple::arm ||
getTriple().getArch() == llvm::Triple::aarch64 || getTriple().getArch() == llvm::Triple::aarch64 ||
getTriple().getArch() == llvm::Triple::wasm32 || getTriple().getArch() == llvm::Triple::wasm32 ||
getTriple().getArch() == llvm::Triple::wasm64) getTriple().getArch() == llvm::Triple::wasm64)
Res |= CFIICall; Res |= CFIICall;
if (getTriple().getArch() == llvm::Triple::x86_64 || if (getTriple().getArch() == llvm::Triple::x86_64 ||
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

test/CodeGen/sanitize-init-locals.c

// Test for -fsanitize=init-locals.
// RUN: %clang_cc1 %s -O0 -triple x86_64-unknown-linux-gnu -emit-llvm -o - | FileCheck %s
// RUN: %clang_cc1 %s -O0 -triple x86_64-unknown-linux-gnu -fsanitize=init-locals -emit-llvm -o - | FileCheck -check-prefixes=CHECK,CHECK-INIT-LOCALS %s
// RUN: %clang_cc1 %s -O0 -triple x86_64-unknown-linux-gnu -Wuninitialized -emit-llvm -o - 2>&1 | FileCheck -check-prefix=CHECK-WUNINITIALIZED %s
// RUN: %clang_cc1 %s -O0 -triple x86_64-unknown-linux-gnu -Wuninitialized -fsanitize=init-locals -emit-llvm -o - 2>&1 | FileCheck -check-prefix=CHECK-WUNINITIALIZED %s
// CHECK: @testSanitizeInitLocals.local_array_init_part = private unnamed_addr constant [5 x i32] [i32 0, i32 1, i32 2, i32 0, i32 0], align 16
// CHECK: @testSanitizeInitLocals.local_array_init = private unnamed_addr constant [5 x i32] [i32 0, i32 1, i32 2, i32 3, i32 4], align 16
// CHECK: %local_int_uninit = alloca i32, align 4
// CHECK: %local_int_init_0 = alloca i32, align 4
// CHECK: %local_int_init = alloca i32, align 4
// CHECK: %local_array_uninit = alloca [5 x i32], align 16
// CHECK: %local_array_init_part = alloca [5 x i32], align 16
// CHECK: %local_array_init = alloca [5 x i32], align 16
// CHECK-INIT-LOCALS: store i32 0, i32* %local_int_uninit, align 4
// CHECK: store i32 0, i32* %local_int_init_0, align 4
// CHECK: store i32 1, i32* %local_int_init, align 4
//
// CHECK-INIT-LOCALS: [[CAST0:%.*]] = {{.*}}%local_array_uninit
// CHECK-INIT-LOCALS: call void @llvm.memset{{.*}}({{.*}}[[CAST0]], i8 0, i64 20
// CHECK: [[CAST1:%.*]] = {{.*}}%local_array_init_part
// CHECK: call void @llvm.memcpy{{.*}}({{.*}}[[CAST1]], {{.*}}@testSanitizeInitLocals.local_array_init_part{{.*}}, {{.*}} 20
// CHECK: [[CAST2:%.*]] = {{.*}}%local_array_init
// CHECK: call void @llvm.memcpy{{.*}}({{.*}}[[CAST2]], {{.*}}@testSanitizeInitLocals.local_array_init{{.*}}, {{.*}} 20
// CHECK-WUNINITIALIZED: warning: variable 'local_int_uninit' is uninitialized when used here
int testSanitizeInitLocals(void)
{
const int local_int_uninit;
const int local_int_init_0 = 0;
const int local_int_init = 1;
const int local_array_uninit[5];
const int local_array_init_part[5] = {0, 1, 2};
const int local_array_init[5] = {0, 1, 2, 3, 4};
return local_int_uninit;
}