From: Segher Boessenkool <segher@kernel.crashing.org>
To: David Brown <david.brown@hesbynett.no>
Cc: P J P <pj.pandit@yahoo.co.in>, "gcc@gcc.gnu.org" <gcc@gcc.gnu.org>
Subject: Re: About BZ#87210 [RFE] To initialize automatic stack variables
Date: Tue, 05 Mar 2019 18:37:00 -0000 [thread overview]
Message-ID: <20190305183717.GQ3969@gate.crashing.org> (raw)
In-Reply-To: <e5e5f5b4-9e33-8833-c45d-11b117dc8e2f@hesbynett.no>
Hi!
On Mon, Mar 04, 2019 at 09:45:37PM +0100, David Brown wrote:
> Forcing "stolen_key" to be zero initialised does not help anyone -
> options for that just make code slower and hide errors that would occur
> with other compiler options. The challenge is to make sure /key/ is
> zeroed out after use - no matter what optimisations, and whether or not
> the "memset" is called.
Yup.
> gcc already has mechanisms for handling this.
>
> First, there is a way to tell gcc that something in memory will be read,
> even though it doesn't look like it:
>
> void foo(void) {
> char key[20];
> strcpy(key, "Top secret");
> usekey(key);
> memset(key, 0, sizeof(key));
> {
> typedef struct { char x[20]; } XS;
> XS *p = (XS *) key;
> asm("" : "+m" (*p));
> }
> }
You need to use "asm volatile" here. In principle GCC can see all the
outputs of the asm are dead and delete all of the asm, otherwise. But
you don't need an output for *p (or inout as you wrote), just an input
is fine.
> This stops information leakage where it should be stopped - once the
> information is no longer used. Forcing initialisation of stack
> variables would put it in the wrong place, when the stack space is reused.
Letting one context/process/etc. handle both secret and non-secret data
is a recipe for disaster already. If you do not fix that, all you can
hope for is some mitigation.
Calling this "secure" is false advertising :-( It is better than not
clearing such (stack) buffers, absolutely.
Segher
next prev parent reply other threads:[~2019-03-05 18:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1225413012.1679387.1550571810991.ref@mail.yahoo.com>
2019-02-19 10:24 ` P J P
2019-03-04 10:44 ` P J P
2019-03-04 12:02 ` Richard Biener
2019-03-04 20:46 ` David Brown
2019-03-05 18:37 ` Segher Boessenkool [this message]
2019-03-05 20:37 ` David Brown
2019-03-05 21:17 ` Martin Sebor
2019-03-05 23:08 ` Mark Wielaard
2019-03-06 1:51 ` Segher Boessenkool
2019-03-06 13:11 ` David Brown
2019-03-06 13:43 ` Alexander Potapenko via gcc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190305183717.GQ3969@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=david.brown@hesbynett.no \
--cc=gcc@gcc.gnu.org \
--cc=pj.pandit@yahoo.co.in \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).