Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 May 2023 16:16:03 -0400
From: Rich Felker <>
To: Jₑₙₛ Gustedt <>
Cc: Joakim Sindholt <>,
Subject: Re: [C23 string conversion 1/3] C23: add the new
 memset_explicit function

On Fri, May 26, 2023 at 12:18:29PM +0200, Jₑₙₛ Gustedt wrote:
> Joakim,
> on Fri, 26 May 2023 11:52:36 +0200 you (Joakim Sindholt
> <>) wrote:
> > I don't see how this is in any way useful. It's certainly not part of
> > the standard, which only says:
> > 
> > > The intention is that the memory store is always performed (i.e.,
> > > never elided), regardless of optimizations. This is in contrast to
> > > calls to the memset function (  
> There has been a long discussion in WG14 about this what is even
> possible to say here. The clear intent in all discussions was to have
> something that best inhibits all sorts of information leak.
> What you are citing is just a footnote. The normative text says:
>      The purpose of this function is to make sensitive information
>      stored in the object inaccessible
> So this is ist the expressed intent.
> This is clearly a QoI issue. I think that indeed a sequential
> reordering barrier is the minimal quality that implementations can
> provide. But since this is not time critical, we might be able to
> provide a bit more, with modest cost, such as synchronization with
> other threads, and such as deleting the information where even the
> object was located in the first place.

Zeroing the local var dest does not do that. It makes things worse, by
forcing dest to get spilled to memory so it can be acted on as an
object by a_cas_p. It will do nothing to clear whatever register or
stack slot the value in dest might have previously lived in.

We had all of these discussions back when explicit_bzero was added,
and it was done the way it was done because it's portable (within the
framework of what musl already requires) and non-arch-specific, has
zero overhead, avoids any code duplication or bad performance
open-coding another memset variant, and avoids taking part in any
security theater (pretending we can clear things we can't).


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.