Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150909164228.GD17773@brightrain.aerifal.cx>
Date: Wed, 9 Sep 2015 12:42:28 -0400
From: Rich Felker <dalias@...c.org>
To: Zack Weinberg <zackw@...ix.com>
Cc: gcc@....gnu.org, llvmdev@...uiuc.edu,
	GNU C Library <libc-alpha@...rceware.org>, musl@...ts.openwall.com
Subject: Re: Compiler support for erasure of sensitive data

On Wed, Sep 09, 2015 at 12:36:01PM -0400, Zack Weinberg wrote:
> The first, simpler problem is strictly optimization.  explicit_bzero
> can be optimized to memset followed by a vacuous use of the memory
> region (generating no machine instructions, but preventing the stores
> from being deleted as dead); this is valuable because the sensitive
> data is often small and fixed-size, so the memset can in turn be
> replaced by inline code.  (This also facilitates implementation of
> -D_FORTIFY_SOURCE checks for explicit_bzero.)  Again looking at
> libressl, 92 of those 152 uses are improved by a crude version of this
> optimization:
> 
>     void explicit_bzero(void *, size_t);
>     extern inline __attribute__((gnu_inline, always_inline))
>     void explicit_bzero_constn(void *ptr, size_t len)
>     {
>       typedef struct {char x[len];} memblk;
>       memset(ptr, 0, len);
>       asm("" : : "m" (*(memblk __attribute__((may_alias)) *)ptr));
>     }
>     #define explicit_bzero(s, n)                          \
>       (__extension__(__builtin_constant_p(n) && (n) > 0   \
>                      ? explicit_bzero_constn(s, n)        \
>                      : explicit_bzero(s, n)))
> 
> I call this "crude" because it only works in GCC, when compiling C,
> and when the length parameter is compile-time constant.  GCC issues no
> error for this code when 'len' is not compile-time constant, but it is
> not documented to work reliably.  When compiling C++, GCC does not
> accept a structure containing an array whose size is not *lexically*
> constant; even if the body of explicit_bzero_constn is moved into the
> macro so that the whole thing is guarded by __builtin_constant_p,
> using explicit_bzero with a non-constant size will cause a compile
> error.  The same is true for Clang whether compiling C or C++.
> 
> This problem could be solved with a very simple feature addition:
> 
>     extern inline __attribute__((gnu_inline, always_inline))
>     void explicit_bzero(void *ptr, size_t len)
>     {
>       memset(ptr, 0, len);
>       __builtin_use_memory(ptr, len);
>     }

You're making this harder than it needs to be. The "m" constraint is
the wrong thing to use here. Simply use:

	__asm__(""::"r"(ptr):"memory");

The memory constraint implies that the asm can read or write any
memory that's reachable by it. The lack of output constraints implies
__volatile__ which is also needed.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.