From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_LOW,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 30048 invoked from network); 26 May 2023 20:16:19 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 26 May 2023 20:16:19 -0000 Received: (qmail 7733 invoked by uid 550); 26 May 2023 20:16:16 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 7694 invoked from network); 26 May 2023 20:16:16 -0000 Date: Fri, 26 May 2023 16:16:03 -0400 From: Rich Felker To: =?utf-8?B?SuKCkeKCmeKCmw==?= Gustedt Cc: Joakim Sindholt , musl@lists.openwall.com Message-ID: <20230526201603.GM4163@brightrain.aerifal.cx> References: <20230526115236.b15f8bf97a529da07fba514f@zhasha.com> <20230526121829.4b9a9538@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230526121829.4b9a9538@inria.fr> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] [C23 string conversion 1/3] C23: add the new memset_explicit function On Fri, May 26, 2023 at 12:18:29PM +0200, Jā‚‘ā‚™ā‚› Gustedt wrote: > Joakim, > > on Fri, 26 May 2023 11:52:36 +0200 you (Joakim Sindholt > ) wrote: > > > I don't see how this is in any way useful. It's certainly not part of > > the standard, which only says: > > > > > The intention is that the memory store is always performed (i.e., > > > never elided), regardless of optimizations. This is in contrast to > > > calls to the memset function (7.26.6.1) > > There has been a long discussion in WG14 about this what is even > possible to say here. The clear intent in all discussions was to have > something that best inhibits all sorts of information leak. > > What you are citing is just a footnote. The normative text says: > > The purpose of this function is to make sensitive information > stored in the object inaccessible > > So this is ist the expressed intent. > > This is clearly a QoI issue. I think that indeed a sequential > reordering barrier is the minimal quality that implementations can > provide. But since this is not time critical, we might be able to > provide a bit more, with modest cost, such as synchronization with > other threads, and such as deleting the information where even the > object was located in the first place. Zeroing the local var dest does not do that. It makes things worse, by forcing dest to get spilled to memory so it can be acted on as an object by a_cas_p. It will do nothing to clear whatever register or stack slot the value in dest might have previously lived in. We had all of these discussions back when explicit_bzero was added, and it was done the way it was done because it's portable (within the framework of what musl already requires) and non-arch-specific, has zero overhead, avoids any code duplication or bad performance open-coding another memset variant, and avoids taking part in any security theater (pretending we can clear things we can't). Rich