From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-74753-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 115145 invoked by alias); 15 Nov 2016 18:42:14 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 115123 invoked by uid 89); 15 Nov 2016 18:42:14 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.7 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=won, learn
X-HELO: mx1.redhat.com
Subject: Re: [PATCH 0/3] explicit_bzero v5
To: Paul Eggert <eggert@cs.ucla.edu>, Zack Weinberg <zackw@panix.com>
References: <20161115155509.12692-1-zackw@panix.com>
 <677c23f1-d10a-890d-b875-039d32a3d228@cs.ucla.edu>
 <CAKCAbMhHRH-+ZV7sChor3Xdt5TNqNmwqAcfgYMPsCZBB8jOJBA@mail.gmail.com>
 <03bf455b-7dc9-663b-a748-8f1da9cfcfd3@cs.ucla.edu>
Cc: GNU C Library <libc-alpha@sourceware.org>,
        "Carlos O'Donell" <carlos@redhat.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <388972da-c60c-6314-b39d-db5fc818fdb8@redhat.com>
Date: Tue, 15 Nov 2016 18:42:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <03bf455b-7dc9-663b-a748-8f1da9cfcfd3@cs.ucla.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2016-11/txt/msg00506.txt.bz2

On 11/15/2016 07:02 PM, Paul Eggert wrote:
> On 11/15/2016 09:46 AM, Zack Weinberg wrote:
>
>> in any scenario where the arguments to explicit_bzero are visible to
>> malicious code, the adversary has already won.  Those arguments, after
>> all, are either in registers or on the stack.  If the adversary can
>> read either of those, they can already learn return addresses.
>
>
> It's possible that the adversary can read the stack but not registers,
> that the object address is already in a register but not in the stack,
> and that the call to explicit_bzero copies the address to the stack,
> making the address visible to the attacker. Perhaps something like the
> following instead?
>
> @strong{Warning:} Calling @code{explicit_bzero} may copy the
> the object's address from a register to the stack, thereby exposing
> the address to other parts of the program (e.g., another thread),
> which may defeat address space layout randomization.

I'm concerned that developers will read all these warnings and use 
memset instead (or a hand-written loop) because this appears to avoid 
all these issues.

Florian