From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6926 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: thoughts on reallocarray, explicit_bzero? Date: Wed, 28 Jan 2015 21:19:19 -0500 Message-ID: <20150129021919.GM4574@brightrain.aerifal.cx> References: <20140519153130.GA519@muslin> <20140519161654.GO507@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: ger.gmane.org 1422497974 11751 80.91.229.3 (29 Jan 2015 02:19:34 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 29 Jan 2015 02:19:34 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-6939-gllmg-musl=m.gmane.org@lists.openwall.com Thu Jan 29 03:19:34 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YGehh-0000fO-KJ for gllmg-musl@m.gmane.org; Thu, 29 Jan 2015 03:19:33 +0100 Original-Received: (qmail 3422 invoked by uid 550); 29 Jan 2015 02:19:32 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 3414 invoked from network); 29 Jan 2015 02:19:31 -0000 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:6926 Archived-At: On Wed, Jan 28, 2015 at 11:34:20PM +0100, Daniel Cegiełka wrote: > 2015-01-28 23:01 GMT+01:00 Daniel Cegiełka : > > 2014-05-19 18:16 GMT+02:00 Rich Felker : > >> On Mon, May 19, 2014 at 05:44:59PM +0200, Daniel Cegiełka wrote: > > > >>> diff -urN musl.orig/src/string/explicit_bzero.c musl/src/string/explicit_bzero.c > >>> --- musl.orig/src/string/explicit_bzero.c Thu Jan 1 00:00:00 1970 > >>> +++ musl/src/string/explicit_bzero.c Fri May 9 09:57:45 2014 > >>> @@ -0,0 +1,8 @@ > >>> +#include > >>> + > >>> +static void *(*volatile explicit_memset)(void *, int, size_t) = memset; > >>> + > >>> +void explicit_bzero(void *b, size_t len) > >>> +{ > >>> + (*explicit_memset)(b, 0, len); > >>> +} > >> > >> This is a nice trick, but IIRC I actually observed GCC optimizing out > >> similar code before (instead of your static volatile, I used a > >> volatile compound literal). At least the concept is right though: you > >> want to prevent the compiler from being able to do any flow analysis > >> at compile time, and making the function pointer volatile achieves > >> this rather well. On the other hand, GCC will put the volatile pointer > >> (if it even emits it) in non-constant memory, meaning it's an > >> additional attack vector for function-pointer-overwrite attacks. > > > > Linux kernel has similar functions and uses a barrier() here: > > > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/lib/string.c?id=refs/tags/v3.19-rc6#n600 > > > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/compiler.h?id=refs/tags/v3.19-rc6#n162 > > > > Is such a solution is more correct (and still portable)? > > I'm afraid that the only appropriate solution is to use memset_s() > from C11 and the expectation that the compiler will accept it. > barrier() does not give any guarantee that this function will be > secure. Only compiler decides. I'm afraid that OpenBSD goes bad path > with explicit_bzero(). The same applies to the linux kernel and > memzero_explicit().. very stupid name... I see no way memset_s is technically "better". It's unable to find and clear other temporary copies that have been made, and the barrier method described above already reliably clears the pointed-to copy. Rich