All of
 help / color / mirror / Atom feed
From: Nathan Chancellor <>
To: Kees Cook <>,
	Nick Desaulniers <>
Cc: Tom Rix <>,,,,,
	Nathan Chancellor <>,
Subject: [PATCH] security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
Date: Wed, 14 Dec 2022 16:26:03 -0700	[thread overview]
Message-ID: <> (raw)

A bad bug in clang's implementation of -fzero-call-used-regs can result
in NULL pointer dereferences (see the links above the check for more
information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a
supported GCC version or a clang newer than 15.0.6, which will catch
both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have
the bug fixed.

Cc: # v5.15+
Signed-off-by: Nathan Chancellor <>
 security/Kconfig.hardening | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index d766b7d0ffd1..53baa95cb644 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -257,6 +257,9 @@ config INIT_ON_FREE_DEFAULT_ON
 	def_bool $(cc-option,-fzero-call-used-regs=used-gpr)
+	#
+	#
+	depends on !CC_IS_CLANG || CLANG_VERSION > 150006
 	bool "Enable register zeroing on function exit"

base-commit: 830b3c68c1fb1e9176028d02ef86f3cf76aa2476

             reply	other threads:[~2022-12-14 23:26 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-14 23:26 Nathan Chancellor [this message]
2022-12-15  0:06 ` [PATCH] security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.