From: "Daniel Cegiełka" <daniel.cegielka@gmail.com>
To: musl@lists.openwall.com
Subject: Re: thoughts on reallocarray, explicit_bzero?
Date: Mon, 19 May 2014 17:44:59 +0200 [thread overview]
Message-ID: <CAPLrYESpEg_yvyn0odnnr9=0Fg3Ussg7cHH=om1G_yvb8zsQ8Q@mail.gmail.com> (raw)
In-Reply-To: <20140519153130.GA519@muslin>
[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]
2014-05-19 17:31 GMT+02:00 Isaac Dunham <ibid.ag@gmail.com>:
> Having read up on the LibreSSL fork of OpenSSL and also recently
> backported a nuber of libXfont CVE fixes for integer overflows,
> I've seen the risk posed by malloc(n*sizeof(x)) and realloc(ptr,
> n*sizeof(x)).
> calloc(n, sizeof(x)) can be used in place of malloc(n * sizeof(x)),
> but there's no standard function that does overflow checking for
> realloc(). OpenBSD has provided the extension reallocarray(), which
> provides for bounds checking like calloc() does.
>
> Additionally, there are times when a compiler will optimize away calls
> to bzero() on areas that are not used before free(); this can result in
> passwords getting left in memory. OpenBSD uses a wrapper function called
> explicit_bzero() to keep this from happening, thugh it seems to be possible
> to use some ugliness with volatile to stop it.
>
> Should musl provide reallocarray()?
In my opinion, yes, we should.
btw. no bzero()/bcopy() but memset() and memcpy() etc.
Daniel
> And what's the best way to ensure that memory gets zeroed out?
>
> Thanks,
> Isaac Dunham
[-- Attachment #2: explicit_bzero.diff --]
[-- Type: text/plain, Size: 796 bytes --]
diff -urN musl.orig/include/string.h musl/include/string.h
--- musl.orig/include/string.h Fri May 9 09:49:36 2014
+++ musl/include/string.h Fri May 9 09:57:10 2014
@@ -82,6 +82,7 @@
char *strsep(char **, const char *);
size_t strlcat (char *, const char *, size_t);
size_t strlcpy (char *, const char *, size_t);
+void explicit_bzero(void *b, size_t len);
#endif
#ifdef _GNU_SOURCE
diff -urN musl.orig/src/string/explicit_bzero.c musl/src/string/explicit_bzero.c
--- musl.orig/src/string/explicit_bzero.c Thu Jan 1 00:00:00 1970
+++ musl/src/string/explicit_bzero.c Fri May 9 09:57:45 2014
@@ -0,0 +1,8 @@
+#include <string.h>
+
+static void *(*volatile explicit_memset)(void *, int, size_t) = memset;
+
+void explicit_bzero(void *b, size_t len)
+{
+ (*explicit_memset)(b, 0, len);
+}
[-- Attachment #3: reallocarray.diff --]
[-- Type: text/plain, Size: 1131 bytes --]
diff -urN musl.orig/include/stdlib.h musl/include/stdlib.h
--- musl.orig/include/stdlib.h Thu May 8 09:04:08 2014
+++ musl/include/stdlib.h Thu May 8 09:11:06 2014
@@ -44,6 +44,9 @@
void *realloc (void *, size_t);
void free (void *);
void *aligned_alloc(size_t alignment, size_t size);
+#ifdef _BSD_SOURCE
+void *reallocarray(void *, size_t, size_t);
+#endif
_Noreturn void abort (void);
int atexit (void (*) (void));
diff -urN musl.orig/src/stdlib/reallocarray.c musl/src/stdlib/reallocarray.c
--- musl.orig/src/stdlib/reallocarray.c Thu Jan 1 00:00:00 1970
+++ musl/src/stdlib/reallocarray.c Thu May 8 09:06:30 2014
@@ -0,0 +1,17 @@
+#include <stdlib.h>
+#include <limits.h>
+#include <errno.h>
+
+/* this is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX
+ * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW */
+#define MUL_NO_OVERFLOW (1UL << (sizeof(size_t) * 4))
+
+void *reallocarray(void *optr, size_t nmemb, size_t size)
+{
+ if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
+ nmemb > 0 && SSIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+ return realloc(optr, size * nmemb);
+}
next prev parent reply other threads:[~2014-05-19 15:44 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-19 15:31 Isaac Dunham
2014-05-19 15:43 ` Rich Felker
2014-05-19 16:19 ` Daniel Cegiełka
2014-05-20 6:19 ` Rich Felker
2014-05-20 15:50 ` Daniel Cegiełka
2014-05-19 15:44 ` Daniel Cegiełka [this message]
2014-05-19 16:16 ` Rich Felker
2014-05-19 16:30 ` Daniel Cegiełka
2014-05-19 16:32 ` Szabolcs Nagy
2015-01-28 22:01 ` Daniel Cegiełka
2015-01-28 22:34 ` Daniel Cegiełka
2015-01-28 22:38 ` Nathan McSween
2015-01-28 22:54 ` Daniel Cegiełka
2015-01-28 23:02 ` Josiah Worcester
2015-01-29 2:19 ` Rich Felker
2015-01-29 4:03 ` Brent Cook
2015-01-29 4:15 ` Rich Felker
2015-01-29 9:30 ` Daniel Cegiełka
2015-01-29 10:04 ` Szabolcs Nagy
2015-01-29 10:31 ` Daniel Cegiełka
2015-01-29 10:54 ` Daniel Cegiełka
2014-05-19 16:25 ` Szabolcs Nagy
2014-05-19 16:45 ` Daniel Cegiełka
2014-05-19 16:58 ` Rich Felker
2014-05-19 16:55 ` Rich Felker
2014-05-19 18:12 ` Szabolcs Nagy
2014-05-19 22:08 ` Andy Lutomirski
2014-05-20 0:41 ` Szabolcs Nagy
2014-06-11 9:59 ` Thorsten Glaser
2014-06-11 12:59 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPLrYESpEg_yvyn0odnnr9=0Fg3Ussg7cHH=om1G_yvb8zsQ8Q@mail.gmail.com' \
--to=daniel.cegielka@gmail.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).