Date: Wed, 28 Jan 2015 23:15:09 -0500 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: thoughts on reallocarray, explicit_bzero? On Wed, Jan 28, 2015 at 10:03:33PM -0600, Brent Cook wrote: > >> > Linux kernel has similar functions and uses a barrier() here: > >> > > >> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/lib/string.c?id=refs/tags/v3.19-rc6#n600 > >> > > >> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/compiler.h?id=refs/tags/v3.19-rc6#n162 > >> > > >> > Is such a solution is more correct (and still portable)? > >> > >> I'm afraid that the only appropriate solution is to use memset_s() > >> from C11 and the expectation that the compiler will accept it. > >> barrier() does not give any guarantee that this function will be > >> secure. Only compiler decides. I'm afraid that OpenBSD goes bad path > >> with explicit_bzero(). The same applies to the linux kernel and > >> memzero_explicit().. very stupid name... > > > > I see no way memset_s is technically "better". It's unable to find and > > clear other temporary copies that have been made, and the barrier > > method described above already reliably clears the pointed-to copy. > > Whatever method you choose, the method of testing is an interesting > one, since seeing if the compiler optimized out a memset (because the > memory was not read after a write) requires tricking the compiler into > believing you aren't reading it. This test is pretty cool, IMO: > > https://github.com/libressl-portable/openbsd/blob/master/src/regress/lib/libc/explicit_bzero/explicit_bzero.c > > it is described a bit more here: > https://plus.google.com/+MatthewDempsky/posts/KQHFBouxurX The comment that pthread_attr_setstack could be used instead is interesting and would make the test a lot simpler, I think. > Getting around link-time optimizations required building the > explicit_bzero function with independent compiler flags to ensure LTO > was not enabled. As long as there's a barrier, LTO is no problem. The asm is a black box that's required to see the results of memset, since the address of the object reaches the asm, and the only way to ensure that such a black box sees the writes is for them to actually be performed. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.