From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-74754-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 34761 invoked by alias); 15 Nov 2016 18:54:58 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 34746 invoked by uid 89); 15 Nov 2016 18:54:58 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_SORBS_SPAM,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-spam-relays-external:74.125.82.51, H*RU:74.125.82.51, won, learn
X-HELO: mailbackend.panix.com
X-Gm-Message-State: ABUngvcNMDSxnhHkTz+yvZ+YZfAt9/TjYu1c5zOtKJEEL+DGfgWb7iu8SLAiinilP8I8m0QIS7z+G6MMS2WI5g==
X-Received: by 10.194.52.42 with SMTP id q10mr8639087wjo.50.1479236085192;
 Tue, 15 Nov 2016 10:54:45 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <388972da-c60c-6314-b39d-db5fc818fdb8@redhat.com>
References: <20161115155509.12692-1-zackw@panix.com> <677c23f1-d10a-890d-b875-039d32a3d228@cs.ucla.edu>
 <CAKCAbMhHRH-+ZV7sChor3Xdt5TNqNmwqAcfgYMPsCZBB8jOJBA@mail.gmail.com>
 <03bf455b-7dc9-663b-a748-8f1da9cfcfd3@cs.ucla.edu> <388972da-c60c-6314-b39d-db5fc818fdb8@redhat.com>
From: Zack Weinberg <zackw@panix.com>
Date: Tue, 15 Nov 2016 18:54:00 -0000
X-Gmail-Original-Message-ID: <CAKCAbMg+=K4ix28_wTEdAtPhr2PC5HHELvTeaHSJCKHTPScu6g@mail.gmail.com>
Message-ID: <CAKCAbMg+=K4ix28_wTEdAtPhr2PC5HHELvTeaHSJCKHTPScu6g@mail.gmail.com>
Subject: Re: [PATCH 0/3] explicit_bzero v5
To: Florian Weimer <fweimer@redhat.com>
Cc: Paul Eggert <eggert@cs.ucla.edu>, GNU C Library <libc-alpha@sourceware.org>, 
	"Carlos O'Donell" <carlos@redhat.com>, "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-SW-Source: 2016-11/txt/msg00507.txt.bz2

On Tue, Nov 15, 2016 at 1:42 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/15/2016 07:02 PM, Paul Eggert wrote:
>> On 11/15/2016 09:46 AM, Zack Weinberg wrote:
>>
>>> in any scenario where the arguments to explicit_bzero are visible to
>>> malicious code, the adversary has already won.  Those arguments, after
>>> all, are either in registers or on the stack.  If the adversary can
>>> read either of those, they can already learn return addresses.
>>
>> It's possible that the adversary can read the stack but not registers

If the adversary can read the stack at all, I suspect they've already
won, no matter what we do.

> I'm concerned that developers will read all these warnings and use memset
> instead (or a hand-written loop) because this appears to avoid all these
> issues.

Yeah, I'm actually worried that the warnings I already wrote are
already too over-the-top.

cc:ing Michael Kerrisk - you write manpages all day, does the
documentation added in
<https://sourceware.org/ml/libc-alpha/2016-11/msg00499.html> look like
it would scare people off using the function at all?

zw