Use memset to zero stack allocations containing unions #16206

robn · 2024-05-17T09:18:22Z

Motivation and Context

Description

C99 6.7.8.17 says that when an undesignated initialiser is used, only the first element of a union is initialised. If the first element is not the largest within the union, how the remaining space is initialised is up to the compiler.

GCC extends the initialiser to the entire union, while Clang treats the remainder as padding, and so initialises according to whatever automatic/implicit initialisation rules are currently active.

When Linux is compiled with CONFIG_INIT_STACK_ALL_PATTERN, -ftrivial-auto-var-init=pattern is added to the kernel CFLAGS. This flag sets the policy for automatic/implicit initialisation of variables on the stack.

Taken together, this means that when compiling under CONFIG_INIT_STACK_ALL_PATTERN on Clang, the "zero" initialiser will only zero the first element in a union, and the rest will be filled with a pattern. This is significant for aes_ctx_t, which in aes_encrypt_atomic() and aes_decrypt_atomic() is initialised to zero, but then used as a gcm_ctx_t, which is the fifth element in the union, and thus gets pattern initialisation. Later, it's assumed to be zero, resulting in a hang.

As confusing and undiscoverable as it is, by the spec, we are at fault when we initialise a structure containing a union with the zero initializer. As such, this commit replaces these uses with an explicit memset(0).

How Has This Been Tested?

Full test suite run succeeded against a 6.7.12 kernel and this patch, both compiled using Clang 18.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Performance enhancement (non-breaking change which improves efficiency)
Code cleanup (non-breaking change which makes code smaller or more readable)
Breaking change (fix or feature that would cause existing functionality to change)
Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
Documentation (a change to man pages or other documentation)

Checklist:

My code follows the OpenZFS code style requirements.
I have updated the documentation accordingly.
I have read the contributing document.
I have added tests to cover my changes.
I have run the ZFS Test Suite with this change applied.
All commit messages are properly formatted and contain Signed-off-by.

C99 6.7.8.17 says that when an undesignated initialiser is used, only the first element of a union is initialised. If the first element is not the largest within the union, how the remaining space is initialised is up to the compiler. GCC extends the initialiser to the entire union, while Clang treats the remainder as padding, and so initialises according to whatever automatic/implicit initialisation rules are currently active. When Linux is compiled with CONFIG_INIT_STACK_ALL_PATTERN, -ftrivial-auto-var-init=pattern is added to the kernel CFLAGS. This flag sets the policy for automatic/implicit initialisation of variables on the stack. Taken together, this means that when compiling under CONFIG_INIT_STACK_ALL_PATTERN on Clang, the "zero" initialiser will only zero the first element in a union, and the rest will be filled with a pattern. This is significant for aes_ctx_t, which in aes_encrypt_atomic() and aes_decrypt_atomic() is initialised to zero, but then used as a gcm_ctx_t, which is the fifth element in the union, and thus gets pattern initialisation. Later, it's assumed to be zero, resulting in a hang. As confusing and undiscoverable as it is, by the spec, we are at fault when we initialise a structure containing a union with the zero initializer. As such, this commit replaces these uses with an explicit memset(0). Sponsored-by: Klara, Inc. Sponsored-by: Wasabi Technology, Inc. Signed-off-by: Rob Norris <rob.norris@klarasystems.com>

robn · 2024-05-17T09:32:36Z

Other things I looked into:

reordering the unions to have the largest one at the front. This just makes dmu_replay_record_t harder to read, and it's difficult to keep sensibly updated
detecting and disabling the -ftrivial-auto-var-init switch. Decided against because it's a statement of intent and we should honour it
adding __attribute__(uninitialized) to these variables, which disables all automatic/implicit initialisation. I was going to try to add a cstyle lint to detect use of {0} without this attribute, but it's difficult to parse and doesn't work for static, not to mention zero initialisers being perfectly fine in most cases
writing macro initialisers eg AES_CTX_INITITALIZER with a working designated initialiser under it, but I couldn't make it work

Ultimately, I settled on this, just explicitly zeroing those ones that need it. I would have liked any kind of indicator that something special was needed, like a compiler warning, or a macro initialiser that would do the right thing in all cases, but I can't see anything. If we can come up with something in the future, we can improve it.

mcmilk approved these changes May 17, 2024

View reviewed changes

behlendorf added the Status: Accepted Ready to integrate (reviewed, tested) label May 25, 2024

behlendorf approved these changes May 25, 2024

View reviewed changes

behlendorf merged commit d0aa9db into openzfs:master May 25, 2024
22 of 24 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use memset to zero stack allocations containing unions #16206

Use memset to zero stack allocations containing unions #16206

robn commented May 17, 2024

robn commented May 17, 2024

Use memset to zero stack allocations containing unions #16206

Use memset to zero stack allocations containing unions #16206

Conversation

robn commented May 17, 2024

Motivation and Context

Description

How Has This Been Tested?

Types of changes

Checklist:

robn commented May 17, 2024