[PATCH 1/3] compiler.h: define __do_not_initialize

Kees Cook keescook at chromium.org
Tue Feb 25 04:16:35 UTC 2020 

On Mon, Feb 24, 2020 at 04:34:59PM +0100, glider at google.com wrote:
> For CONFIG_INIT_STACK_ALL it's sometimes handy to disable
> force-initialization for a local variable, if it is known to be initialized
> later on before the first use. This can be done by using the
> __do_not_initialize macro.

Nit-pick: other things are listed as __no_$feature. What about naming
this __no_initialize (or reuse the attribute name of __uninitialized)?

> __do_not_initialize should be applied carefully, as future changes to
> the code around the local variable may introduce paths on which the
> variable remains uninitialized before the use.
> 
> Signed-off-by: Alexander Potapenko <glider at google.com>

Please CC lkml as well in the future.

But yes, this seems like a reasonable work-around until compilers can be
taught which functions are considered initialization sinks. :)

-Kees

> ---
>  include/linux/compiler-clang.h | 10 ++++++++++
>  include/linux/compiler_types.h |  4 ++++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index 333a6695a918c..9204334d39261 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -24,6 +24,16 @@
>  #define __no_sanitize_address
>  #endif
>  
> +/*
> + * Disable initialization of a local variable when building with
> + * CONFIG_INIT_STACK_ALL.
> + */
> +#ifdef CONFIG_INIT_STACK_ALL
> +#define __do_not_initialize __attribute__((uninitialized))
> +#else
> +#define __do_not_initialize
> +#endif
> +
>  /*
>   * Not all versions of clang implement the the type-generic versions
>   * of the builtin overflow checkers. Fortunately, clang implements
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 72393a8c1a6c5..b216beb5586fc 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -180,6 +180,10 @@ struct ftrace_likely_data {
>  
>  #endif /* __ASSEMBLY__ */
>  
> +#ifndef __do_not_initialize
> +#define __do_not_initialize
> +#endif
> +
>  /*
>   * The below symbols may be defined for one or more, but not ALL, of the above
>   * compilers. We don't consider that to be an error, so set them to nothing.
> -- 
> 2.25.0.265.gbab2e86ba0-goog
> 

-- 
Kees Cook

More information about the devel mailing list