[PATCH 2/3] Add fortification and inline optimization of explicit_bzero.

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Zack Weinberg <zackw@panix.com>
To: libc-alpha@sourceware.org
Cc: carlos@redhat.com, fweimer@redhat.com
Subject: [PATCH 2/3] Add fortification and inline optimization of explicit_bzero.
Date: Tue, 15 Nov 2016 15:55:00 -0000	[thread overview]
Message-ID: <20161115155509.12692-3-zackw@panix.com> (raw)
In-Reply-To: <20161115155509.12692-2-zackw@panix.com>

By exposing __glibc_read_memory to external callers, we can write a
fortify wrapper for explicit_bzero in terms of __memset_chk and
__glibc_read_memory.  There is no out-of-line __bzero_chk defined in
libc.so, so I see no need to add an out-of-line __explicit_bzero_chk
either.

We can also add a bits/string2.h macro that optimizes explicit_bzero
to memset + __glibc_read_memory, thus allowing the compiler to use
intrinsic code generation for memset.  I think this is worth doing
because it partially addresses the problem pointed out in the manual,
where explicit_bzero might _cause_ sensitive data to be copied out of
registers onto the stack.  With memset visible to the compiler, it
will just clear a scratch area on the stack and then call
__glibc_read_memory; it won't copy the sensitive data onto the stack
first.  (But it still doesn't erase the sensitive data _in_ the
registers, so the warning in the manual is still appropriate.)

        * string/bits/string2.h: Optimize explicit_bzero.
        * string/bits/string3.h: Fortify explicit_bzero.
        * debug/tst-chk1.c: Test fortification of explicit_bzero.
---
 debug/tst-chk1.c      | 28 ++++++++++++++++++++++++++++
 string/bits/string2.h | 11 +++++++++++
 string/bits/string3.h |  8 ++++++++
 3 files changed, 47 insertions(+)

diff --git a/debug/tst-chk1.c b/debug/tst-chk1.c
index 478c2fb..e87a279 100644
--- a/debug/tst-chk1.c
+++ b/debug/tst-chk1.c
@@ -160,6 +160,10 @@ do_test (void)
   if (memcmp (buf, "aabcdabc\0\0", 10))
     FAIL ();
 
+  explicit_bzero (buf + 6, 4);
+  if (memcmp (buf, "aabcda\0\0\0\0", 10))
+    FAIL ();
+
   strcpy (buf + 4, "EDCBA");
   if (memcmp (buf, "aabcEDCBA", 10))
     FAIL ();
@@ -201,6 +205,10 @@ do_test (void)
   if (memcmp (buf, "aabcdabc\0\0", 10))
     FAIL ();
 
+  explicit_bzero (buf + 6, l0 + 4);
+  if (memcmp (buf, "aabcda\0\0\0\0", 10))
+    FAIL ();
+
   strcpy (buf + 4, str1 + 5);
   if (memcmp (buf, "aabcEDCBA", 10))
     FAIL ();
@@ -256,6 +264,10 @@ do_test (void)
   if (memcmp (a.buf1, "aabcdabc\0\0", 10))
     FAIL ();
 
+  explicit_bzero (a.buf1 + 6, l0 + 4);
+  if (memcmp (a.buf1, "aabcda\0\0\0\0", 10))
+    FAIL ();
+
 #if __USE_FORTIFY_LEVEL < 2
   /* The following tests are supposed to crash with -D_FORTIFY_SOURCE=2
      and sufficient GCC support, as the string operations overflow
@@ -345,6 +357,14 @@ do_test (void)
   bzero (buf + 9, l0 + 2);
   CHK_FAIL_END
 
+  CHK_FAIL_START
+  explicit_bzero (buf + 9, 2);
+  CHK_FAIL_END
+
+  CHK_FAIL_START
+  explicit_bzero (buf + 9, l0 + 2);
+  CHK_FAIL_END
+
   CHK_FAIL_START
   strcpy (buf + 5, str1 + 5);
   CHK_FAIL_END
@@ -454,6 +474,14 @@ do_test (void)
   bzero (a.buf1 + 9, l0 + 2);
   CHK_FAIL_END
 
+  CHK_FAIL_START
+  explicit_bzero (a.buf1 + 9, 2);
+  CHK_FAIL_END
+
+  CHK_FAIL_START
+  explicit_bzero (a.buf1 + 9, l0 + 2);
+  CHK_FAIL_END
+
 # if __USE_FORTIFY_LEVEL >= 2
 #  define O 0
 # else
diff --git a/string/bits/string2.h b/string/bits/string2.h
index ca1eda9..d509533 100644
--- a/string/bits/string2.h
+++ b/string/bits/string2.h
@@ -57,6 +57,17 @@
 # define __bzero(s, n) __builtin_memset (s, '\0', n)
 #endif
 
+#if defined __USE_MISC
+/* As bzero, but the compiler will not delete a call to this function,
+   even if S is dead after the call.  This is a macro instead of an
+   inline function _solely_ so that it will not get turned into an
+   external definition in string-inlines.o; it has its own .c file in
+   libc already.  */
+# define explicit_bzero(s, n)				\
+  (__extension__ ({ void *__s = (s); size_t __n = (n);	\
+		    memset (__s, '\0', __n);		\
+		    __glibc_read_memory (__s, __n); }))
+#endif
 
 #ifndef _HAVE_STRING_ARCH_strchr
 extern void *__rawmemchr (const void *__s, int __c);
diff --git a/string/bits/string3.h b/string/bits/string3.h
index 8f13b65..c9e2e62 100644
--- a/string/bits/string3.h
+++ b/string/bits/string3.h
@@ -42,6 +42,7 @@ __warndecl (__warn_memset_zero_len,
 # ifdef __USE_MISC
 #  undef bcopy
 #  undef bzero
+#  undef explicit_bzero
 # endif
 #endif
 
@@ -102,6 +103,13 @@ __NTH (bzero (void *__dest, size_t __len))
 {
   (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
 }
+
+__fortify_function void
+__NTH (explicit_bzero (void *__dest, size_t __len))
+{
+  (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
+  __glibc_read_memory (__dest, __len);
+}
 #endif
 
 __fortify_function char *
-- 
2.10.2

next prev parent reply	other threads:[~2016-11-15 15:55 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-15 15:55 [PATCH 0/3] explicit_bzero v5 Zack Weinberg
2016-11-15 15:55 ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Zack Weinberg
2016-11-15 15:55   ` Zack Weinberg [this message]
2016-11-15 15:55     ` [PATCH 3/3] Use explicit_bzero where appropriate Zack Weinberg
2016-11-16 18:38   ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Michael Kerrisk (man-pages)
2016-11-15 16:20 ` [PATCH 0/3] explicit_bzero v5 Paul Eggert
2016-11-15 17:46   ` Zack Weinberg
2016-11-15 18:02     ` Paul Eggert
2016-11-15 18:42       ` Florian Weimer
2016-11-15 18:54         ` Zack Weinberg
2016-11-15 19:35           ` Paul Eggert
2016-11-16 14:56             ` Zack Weinberg
2016-11-16 21:38               ` Paul Eggert
2016-11-16 18:34           ` Michael Kerrisk (man-pages)
2016-11-15 19:35         ` Paul Eggert
2016-11-16 14:58           ` Zack Weinberg
2016-11-15 21:12 ` Richard Henderson
2016-11-16 14:45   ` Zack Weinberg
2016-11-16 14:58     ` Andreas Schwab
2016-11-16 15:00       ` Zack Weinberg
2016-11-16 15:09         ` Andreas Schwab
2016-11-16 15:14           ` Zack Weinberg
2016-11-16 15:22             ` Andreas Schwab
2016-11-16 20:06     ` Richard Henderson
2016-11-16  2:03 ` Joseph Myers
2016-11-16 15:06   ` Zack Weinberg
  -- strict thread matches above, loose matches on Subject: below --
2016-12-08 14:56 [PATCH 0/3] explicit_bzero v6 Zack Weinberg
2016-12-08 14:56 ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Zack Weinberg
2016-12-08 14:56   ` [PATCH 2/3] Add fortification and inline optimization of explicit_bzero Zack Weinberg
2016-09-15 13:05 [PATCH 0/3] explicit_bzero again Zack Weinberg
2016-09-15 13:05 ` [PATCH 1/3] New string function explicit_bzero (from OpenBSD) Zack Weinberg
2016-09-15 13:05   ` [PATCH 2/3] Add fortification and inline optimization of explicit_bzero Zack Weinberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161115155509.12692-3-zackw@panix.com \
    --to=zackw@panix.com \
    --cc=carlos@redhat.com \
    --cc=fweimer@redhat.com \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).