Re: Q: why didn't GCC warn about this uninitialized variable?

From: Ingo Molnar
Date: Thu Mar 03 2016 - 07:43:36 EST



* Måns Rullgård <mans@xxxxxxxxx> wrote:

> > So the source of the bug was:
> >
> > struct sigaction sa;
> >
> > ...
> >
> > sigfillset(&sa.sa_mask);
> > sa.sa_sigaction = segfault_handler;
> > sigaction(SIGSEGV, &sa, NULL);
> >
> > ... which uninitialized sa.sa_flags field GCC merrily accepted as
> > proper C code, despite us turning on essentially _all_ GCC warnings
> > for the perf build that exist under the sun:
> >
> > gcc -Wbad-function-cast -Wdeclaration-after-statement -Wformat-security -Wformat-y2k \
> > -Winit-self -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
> > -Wno-system-headers -Wold-style-definition -Wpacked -Wredundant-decls \
> > -Wshadow -Wstrict-aliasing=3 -Wstrict-prototypes -Wswitch-default -Wswitch-enum \
> > -Wundef -Wwrite-strings -Wformat \
> > -Werror -O6 -fno-omit-frame-pointer -ggdb3 -funwind-tables -Wall -Wextra -std=gnu99 -fstack-protector-all -D_FORTIFY_SOURCE=2
> >
> > This is a _trivial_ uninitialized variable bug, yet GCC never warned
> > about it. Why?
> >
> > People build perf with a wide range of GCC versions, from old ones to
> > trunk. I cannot believe it that none of those GCC versions warned
> > about this trivial looking bug!
> >
> > And yes, I know that unitialized structures on the stack are valid C
> > code, yet it's one of the most fragile aspects of C and it was the
> > source of countless security holes in the past...
>
> Passing a pointer to an uninitialised object is typically not warned about since
> the purpose of the call might be to initialise it in the first place. Now the
> second argument of sigaction() is a pointer to const, so the compiler should be
> able to see that this isn't the case.
>
> Maybe it's not warning because some fields in the struct are initialised and the
> function, as far as the compiler knows, might only be accessing those. (There's
> certainly code out there using that pattern.) If this is the case here, a flag
> to warn unless the object is fully initialised would be useful to catch bugs
> like this.

So it would be absolutely fantastic if one of these solutions existed on GCC:

- emit a warning if a structure is passed around uninitialized. A new GCC
__attribute__((struct_fully_initialized)) could be used to annotate extern
function arguments which fully initialize input arguments.

(I'd personally migrate both tools/perf and kernel side code to use it, module
by module.)

- or memset() to zero all on-stack structures that GCC cannot prove are
initialized fully.

The first solution takes extra work on the source level, the latter takes extra
runtime profiling to find where the extra memset()s matter to performance. Any of
these would be fantastic tools for C robustness and security.

Thanks,

Ingo