Add a new configure option to initialize automatic variables

The new option, `--enable-auto-var-init`, when enabled, sets the
`-ftrivial-auto-var-init` flag when supported by the compiler
(GCC 12+, clang 16+) to either:
- `zero`: zero-initializes all automatic variables, and is enabled
  with `--enable-auto-var-init=yes` or `--enable-auto-var-init=zero`.
  This can be used as a hardening measure in production, reducing
  information leakage issues.
- `pattern`: initialize all automatic variables to a pattern that
  is likely to be detected, like 0xAA, and is enabled via
  `--enable-auto-var-init=pattern`. This is useful in tests,
  especially when the cost of sanitizers is too high.

I have not done any performance testing, but the zero option is
generally considered to have a less than 5% performance cost.

diff --git a/configure.ac b/configure.ac
index 09dffb59e041dacfa86feaf3c537261e5bafa581..42fbd56dadda4eee31cc25fb3059fd5a2fe1808d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -308,6 +308,7 @@ PROGRAM_LDFLAGS="$PIE_LDFLAGS $PROGRAM_LDFLAGS"
 AC_SUBST([PROGRAM_LDFLAGS])
 
 PDNS_ENABLE_COVERAGE
+PDNS_INIT_AUTO_VARS
 PDNS_ENABLE_SANITIZERS
 PDNS_ENABLE_MALLOC_TRACE
 

diff --git a/m4/pdns_init_auto_vars.m4 b/m4/pdns_init_auto_vars.m4
new file mode 100644 (file)
index 0000000..cf93ffd
--- /dev/null
+++ b/m4/pdns_init_auto_vars.m4
@@ -0,0 +1,31 @@
+dnl
+dnl Check for support for enabling initialization of automatic variables
+dnl
+
+AC_DEFUN([PDNS_INIT_AUTO_VARS],[
+  AC_MSG_CHECKING([whether to enable initialization of automatic variables])
+  AC_ARG_ENABLE([auto-var-init],
+    AS_HELP_STRING([--enable-auto-var-init],[enable initialization of automatic variables (zero, pattern) @<:@default=no@:>@]),
+    [enable_initautovars=$enableval],
+    [enable_initautovars=no],
+  )
+  AC_MSG_RESULT([$enable_initautovars])
+
+  AS_IF([test "x$enable_initautovars" = "xyes"], [
+    [enable_initautovars=zero]
+  ])
+
+  AS_IF([test "x$enable_initautovars" = "xzero" ], [
+    gl_COMPILER_OPTION_IF([-ftrivial-auto-var-init=zero], [
+      CFLAGS="-ftrivial-auto-var-init=zero $CFLAGS"
+      CXXFLAGS="-ftrivial-auto-var-init=zero $CXXFLAGS"
+    ])
+  ])
+
+  AS_IF([test "x$enable_initautovars" = "xpattern" ], [
+    gl_COMPILER_OPTION_IF([-ftrivial-auto-var-init=pattern], [
+      CFLAGS="-ftrivial-auto-var-init=pattern $CFLAGS"
+      CXXFLAGS="-ftrivial-auto-var-init=pattern $CXXFLAGS"
+    ])
+  ])
+])

diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac
index 18c3e157df5b4f7a1ab52928b4e2e2bf74be9027..c308f4e7b2eb5cd05ef6911afc4301dab722ab9e 100644 (file)
--- a/pdns/dnsdistdist/configure.ac
+++ b/pdns/dnsdistdist/configure.ac
@@ -119,6 +119,8 @@ AS_IF([test "x$enable_hardening" != "xno"], [
   AC_LD_RELRO
 ])
 
+PDNS_INIT_AUTO_VARS
+
 PDNS_ENABLE_SANITIZERS
 
 PDNS_CHECK_PYTHON_VENV

diff --git a/pdns/dnsdistdist/m4/pdns_init_auto_vars.m4 b/pdns/dnsdistdist/m4/pdns_init_auto_vars.m4
new file mode 120000 (symlink)
index 0000000..c4384ff
--- /dev/null
+++ b/pdns/dnsdistdist/m4/pdns_init_auto_vars.m4
@@ -0,0 +1 @@
+../../../m4/pdns_init_auto_vars.m4
\ No newline at end of file

diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac
index e97a0ac6f416fa884ca289c91578cc47c1c623ec..f8ddf6d2348d664bbbdf6007377481486d760dc9 100644 (file)
--- a/pdns/recursordist/configure.ac
+++ b/pdns/recursordist/configure.ac
@@ -150,6 +150,7 @@ AS_IF([test "x$enable_hardening" != "xno"], [
   AC_LD_RELRO
 ])
 
+PDNS_INIT_AUTO_VARS
 PDNS_ENABLE_SANITIZERS
 PDNS_ENABLE_MALLOC_TRACE
 PDNS_ENABLE_VALGRIND

diff --git a/pdns/recursordist/m4/pdns_init_auto_vars.m4 b/pdns/recursordist/m4/pdns_init_auto_vars.m4
new file mode 120000 (symlink)
index 0000000..c4384ff
--- /dev/null
+++ b/pdns/recursordist/m4/pdns_init_auto_vars.m4
@@ -0,0 +1 @@
+../../../m4/pdns_init_auto_vars.m4
\ No newline at end of file