From: Jonny Grant <jg@jguk.org>
To: Jonathan Wakely <jwakely.gcc@gmail.com>
Cc: gcc-help <gcc-help@gcc.gnu.org>
Subject: Re: Avoiding stack buffer clear being optimised out
Date: Tue, 13 Dec 2022 20:12:23 +0000 [thread overview]
Message-ID: <68c69b5a-e6e7-7021-5f98-37ba8f3c49eb@jguk.org> (raw)
In-Reply-To: <CAH6eHdRLzrZO04axQ3ozEi=6y18p2L1ZMstq2TmKXLpCzycumw@mail.gmail.com>
On 30/11/2022 17:40, Jonathan Wakely wrote:
> On Wed, 30 Nov 2022 at 16:27, Jonny Grant <jg@jguk.org> wrote:
>>
>> Hello
>>
>> Does GCC have a clear way to avoid memset being compiled out by optimiser?
>>
>> This article came up, so I combined the broken.c with GCC
>> gcc -Wall -O2 -o broken broken.c
>>
>> Note, I've been using gcc for many years, I'm not looking for just tips how to compile code. I only want to discuss this optimiser issue :-)
>>
>> https://blog.cloudflare.com/the-linux-kernel-key-retention-service-and-why-you-should-use-it-in-your-next-application/
>>
>> If I modify to clear the buffer, it gets removed by the compiler
>>
>> The only way I could get it to not remove the memset is by adding another printf, (propagating a return code after checking memset wasn't enough)
>
> This is simpler and works for me, but I'm not sure if it's guaranteed
> to always work:
>
> __attribute__((noinline,noipa))
> void wipe(void* p, size_t n)
> {
> memset(p, 0, n);
> }
>
> static int encrypt(void)
> {
> uint8_t key[] = "hunter2";
> printf("encrypting with super secret key: %s\n", key);
> wipe(key, 8);
> }
>
> There is discussion of alternatives in
> https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1358.pdf (starting
> on page 6).
>
> The memset_s function was added to C in Annex K, but most
> implementations of the C library do not support Annex K.
Jonathan
I wonder if you know how GCC decides to remove the memset? In the following example, the memset even changes the bytes on the stack, which are then not changed later on in the program, rather strange.
If I modify the code to check the buffer contains key[0] as nul byte, it still shows as 0, but then the stack is still readable
// gcc -Wall -O2 -o broken broken.c
#include <stdio.h>
#include <stdint.h>
#include <string.h>
static int encrypt(void)
{
uint8_t key[] = "hunter2";
printf("encrypting with super secret key: %s\n", key);
memset(key, 0, 8);
if(key[0] == '\0') return 0;
else return 1;
}
static void log_completion(void)
{
/* oh no, we forgot to init the msg */
char msg[8];
printf("not important, just fyi: %s\n", msg);
}
int main(void)
{
int ret = encrypt();
/* notify that we're done */
log_completion();
printf("ret: %d\n", ret);
return ret;
}
next prev parent reply other threads:[~2022-12-13 20:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-30 16:26 Jonny Grant
2022-11-30 17:40 ` Jonathan Wakely
2022-11-30 17:41 ` Jonathan Wakely
2022-12-01 10:44 ` Jonny Grant
2022-12-01 11:31 ` Jonathan Wakely
2022-12-01 11:34 ` Jonathan Wakely
2022-12-01 11:55 ` Jonny Grant
2022-12-13 20:12 ` Jonny Grant [this message]
2022-12-13 20:31 ` Jonathan Wakely
2022-12-13 22:07 ` Jonny Grant
2022-12-13 23:13 ` Jonathan Wakely
2022-12-13 23:16 ` Jonny Grant
2023-01-24 13:52 ` Jonny Grant
2023-01-24 14:26 ` Jonathan Wakely
2022-11-30 18:47 ` David Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68c69b5a-e6e7-7021-5f98-37ba8f3c49eb@jguk.org \
--to=jg@jguk.org \
--cc=gcc-help@gcc.gnu.org \
--cc=jwakely.gcc@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).