From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6917
Path: news.gmane.org!not-for-mail
From: =?UTF-8?Q?Daniel_Cegie=C5=82ka?= <daniel.cegielka@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: thoughts on reallocarray, explicit_bzero?
Date: Wed, 28 Jan 2015 23:01:16 +0100
Message-ID: <CAPLrYERjMhKWP4pQ6-b7SsNFXcQPaJkRHvspzvtUw3ezuj2ABw@mail.gmail.com>
References: <20140519153130.GA519@muslin> <CAPLrYESpEg_yvyn0odnnr9=0Fg3Ussg7cHH=om1G_yvb8zsQ8Q@mail.gmail.com>
 <20140519161654.GO507@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=089e01495336f50978050dbd831d
X-Trace: ger.gmane.org 1422482514 488 80.91.229.3 (28 Jan 2015 22:01:54 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 28 Jan 2015 22:01:54 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-6930-gllmg-musl=m.gmane.org@lists.openwall.com Wed Jan 28 23:01:54 2015
Return-path: <musl-return-6930-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-6930-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1YGagJ-00050y-M9
	for gllmg-musl@m.gmane.org; Wed, 28 Jan 2015 23:01:51 +0100
Original-Received: (qmail 24363 invoked by uid 550); 28 Jan 2015 22:01:50 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 24346 invoked from network); 28 Jan 2015 22:01:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=o71W/hnusZvJpLY2OvwS6hWPoxWZYScomxmeznRwtrU=;
        b=m8pxprHyKfaap3g7D9UjrqiT9oOxWZmf/1/zv73WOeCKlIiMeFOMiBitom4HLD/Q6b
         rJ6cl5NbiE54v2z2UG3GOzhEQl8DI4xPBj8mWx8Qx0q2rqGlwa26r/qUttjyamNk2c2B
         5LzvI9+BWdbFUhghChuE4LTg+tjF2WrxHZ75gGmeJyVzjs+AhTsvmnpoM7CFkIRwleub
         ZLgyXs55E569V2XO0MsAnxlVNkO89rb+NfU96VndSXZ1frt9OmKRMPSkXjDB1VEUGVb9
         McU5cFUIWu17osk7rFD5Zoc6McmFDOd/+xqY7mrmUpSN8EWsUmnngAHLDRhM9dPBDvvY
         Mcdg==
X-Received: by 10.182.28.100 with SMTP id a4mr3616600obh.69.1422482497370;
 Wed, 28 Jan 2015 14:01:37 -0800 (PST)
In-Reply-To: <20140519161654.GO507@brightrain.aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:6917
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/6917>

--089e01495336f50978050dbd831d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

2014-05-19 18:16 GMT+02:00 Rich Felker <dalias@libc.org>:
> On Mon, May 19, 2014 at 05:44:59PM +0200, Daniel Cegie=C5=82ka wrote:

>> diff -urN musl.orig/src/string/explicit_bzero.c musl/src/string/explicit=
_bzero.c
>> --- musl.orig/src/string/explicit_bzero.c     Thu Jan  1 00:00:00 1970
>> +++ musl/src/string/explicit_bzero.c  Fri May  9 09:57:45 2014
>> @@ -0,0 +1,8 @@
>> +#include <string.h>
>> +
>> +static void *(*volatile explicit_memset)(void *, int, size_t) =3D memse=
t;
>> +
>> +void explicit_bzero(void *b, size_t len)
>> +{
>> +     (*explicit_memset)(b, 0, len);
>> +}
>
> This is a nice trick, but IIRC I actually observed GCC optimizing out
> similar code before (instead of your static volatile, I used a
> volatile compound literal). At least the concept is right though: you
> want to prevent the compiler from being able to do any flow analysis
> at compile time, and making the function pointer volatile achieves
> this rather well. On the other hand, GCC will put the volatile pointer
> (if it even emits it) in non-constant memory, meaning it's an
> additional attack vector for function-pointer-overwrite attacks.

Linux kernel has similar functions and uses a barrier() here:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/lib/st=
ring.c?id=3Drefs/tags/v3.19-rc6#n600

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/includ=
e/linux/compiler.h?id=3Drefs/tags/v3.19-rc6#n162

Is such a solution is more correct (and still portable)?

Daniel

> Rich

--089e01495336f50978050dbd831d
Content-Type: text/x-csrc; charset=US-ASCII; name="explicit_bzero.c"
Content-Disposition: attachment; filename="explicit_bzero.c"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i5h8k1jw0

I2luY2x1ZGUgPHN0cmluZy5oPgoKc3RhdGljIHZvaWQgKigqdm9sYXRpbGUgZXhwbGljaXRfbWVt
c2V0KSh2b2lkICosIGludCwgc2l6ZV90KSA9IG1lbXNldDsKCnZvaWQgZXhwbGljaXRfYnplcm8o
dm9pZCAqYiwgc2l6ZV90IGxlbikKewoJKCpleHBsaWNpdF9tZW1zZXQpKGIsIDAsIGxlbik7Cglf
X2FzbV9fIHZvbGF0aWxlICggIiIgOiA6ICJyIiAoYikgOiAibWVtb3J5IiApOwp9Cg==
--089e01495336f50978050dbd831d
Content-Type: text/x-csrc; charset=US-ASCII; name="explicit_bzero2.c"
Content-Disposition: attachment; filename="explicit_bzero2.c"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i5h99a8z1

I2luY2x1ZGUgPHN0cmluZy5oPgoKdm9pZCBleHBsaWNpdF9iemVybyh2b2lkICpiLCBzaXplX3Qg
bGVuKQp7CgltZW1zZXQoYiwgMCwgbGVuKTsKCV9fYXNtX18gdm9sYXRpbGUgKCAiIiA6IDogInIi
IChiKSA6ICJtZW1vcnkiICk7Cn0K
--089e01495336f50978050dbd831d--