Bug#1010685: dpkg-buildflags: Please enable -ftrivial-auto-var-init=zero
Hi! On Fri, 2022-05-06 at 20:50:08 -0700, Kees Cook wrote: > Package: dpkg-dev > Version: 1.21.7 > Severity: normal > Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first > release of GCC to provide this flag). > > It goes well with the other important security flaw mitigation flags > already enabled in Debian: > https://wiki.debian.org/Hardening#dpkg-buildflags > > While many variables are initialized (due to -Wuninitialized), there is > a blind spot for variables passed by reference, padding, and cases where > -Wuninitialized just fails to track it. Universally wiping the variables > eliminates nearly the entire class of uninitialized stack variable use > (https://cwe.mitre.org/data/definitions/457.html) with nearly no overhead > (e.g. any duplicate assignments will already be squashed during dead > store elimination, etc). Ah, this flag is great, it's a pity the C standard would not declare this the default behavior though. :/ Checking https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/1972043 that covers my main concerns I think. The clang position on =zero seems concerning though. I also hope no security related project is using the uninitialized memory (UB) to seed something like an PRNG or similar. :/ (Enabling this by default means that developers might fail to notice issue shadowed by this feature, and this could then affect builds on systems where this is not the default. This is less concerning when enabling it in dpkg-dev than in gcc I guess.) The usual procedure to add new default flags (in case of hardening even adding a new flag disabled by default implies more or less being enabled by default as many packages simply do hardening=+all), would be https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F, but in this case I'm not sure how useful an archive rebuild would be given that the effect would most probably be seen at run-time, but only on unexpected conditions. Still bringing this up on debian-devel would be a first. Thanks, Guillem
Bug#1010685: dpkg-buildflags: Please enable -ftrivial-auto-var-init=zero
Package: dpkg-dev Version: 1.21.7 Severity: normal Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first release of GCC to provide this flag). It goes well with the other important security flaw mitigation flags already enabled in Debian: https://wiki.debian.org/Hardening#dpkg-buildflags While many variables are initialized (due to -Wuninitialized), there is a blind spot for variables passed by reference, padding, and cases where -Wuninitialized just fails to track it. Universally wiping the variables eliminates nearly the entire class of uninitialized stack variable use (https://cwe.mitre.org/data/definitions/457.html) with nearly no overhead (e.g. any duplicate assignments will already be squashed during dead store elimination, etc). -- Package-specific info: -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.13.0-37-generic (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dpkg-dev depends on: ii binutils 2.38-3 ii bzip2 1.0.8-5 ii libdpkg-perl 1.21.7 ii make 4.3-4.1 ii patch 2.7.6-7 ii perl 5.34.0-4 ii tar 1.34+dfsg-1 ii xz-utils 5.2.5-2.1 Versions of packages dpkg-dev recommends: pn build-essential ii fakeroot 1.28-1 ii gcc [c-compiler] 4:11.2.0-2 ii gcc-10 [c-compiler] 10.3.0-15 ii gcc-11 [c-compiler] 11.2.0-20 ii gcc-4.2 [c-compiler] 4.2.4-6 ii gcc-4.4 [c-compiler] 4.4.7-8 ii gcc-4.5 [c-compiler] 4.5.4-1 ii gcc-4.6 [c-compiler] 4.6.4-7 ii gcc-4.7 [c-compiler] 4.7.4-3 ii gcc-4.8 [c-compiler] 4.8.5-4 ii gcc-4.9 [c-compiler] 4.9.4-2 ii gcc-5 [c-compiler] 5.5.0-12 ii gcc-6 [c-compiler] 6.5.0-2 ii gcc-9 [c-compiler] 9.4.0-5 pn gnupg ii gpgv 2.2.34-1 ii libalgorithm-merge-perl 0.08-3 Versions of packages dpkg-dev suggests: ii debian-keyring 2021.12.24 -- no debconf information
