[NEWS:]
The new function explicit_bzero is functionally identical to bzero,
but the compiler will not delete a call to it, even if the memory
region it's applied to is dead after the call. You should use this
function, for instance, to erase cryptographic keys or similar when
you are done with them. Taken from OpenBSD.
[ChangeLog:]
* manual/string.texi: Document new function explicit_bzero.
* string/Versions [GLIBC_2.23]: Add explicit_bzero.
* string/string.h [__USE_MISC]: Declare explicit_bzero.
* string/bits/string2.h: Optimize explicit_bzero when possible.
* string/bits/string3.h: Fortify explicit_bzero. Remove stray
blank lines.
* string/test-explicit_bzero.c: New file, basic test for
explicit_bzero.
* string/Makefile, string/test-memset.c: Support the new test.
* string/bzero.c
* sysdeps/aarch64/bzero.S
* sysdeps/alpha/bzero.S
* sysdeps/i386/bzero.c
* sysdeps/i386/i586/bzero.S
* sysdeps/i386/i686/bzero.S
* sysdeps/powerpc/powerpc32/bzero.S
* sysdeps/powerpc/powerpc32/power4/multiarch/bzero.c
* sysdeps/powerpc/powerpc64/memset.S
* sysdeps/powerpc/powerpc64/multiarch/bzero.c
* sysdeps/powerpc/powerpc64/power4/memset.S
* sysdeps/powerpc/powerpc64/power6/memset.S
* sysdeps/powerpc/powerpc64/power7/memset.S
* sysdeps/powerpc/powerpc64/power8/memset.S
* sysdeps/s390/s390-32/bzero.S
* sysdeps/s390/s390-64/bzero.S
* sysdeps/sparc/sparc32/memset.S
* sysdeps/sparc/sparc64/memset.S
* sysdeps/sparc/sparc64/multiarch/memset.S
* sysdeps/tile/bzero.S
* sysdeps/x86_64/memset.S:
Declare explicit_bzero as weak alias of __bzero.
* debug/explicit_bzero_chk.c: New file.
* debug/Makefile: Compile it.
* debug/Versions [GLIBC_2.23]: Add __explicit_bzero_chk.
* debug/tst-chk1.c: Test fortification of explicit_bzero,
and also bzero and bcopy, while we're at it.
* include/string.h: Add libc_hidden_proto for __memset_chk.
* debug/memset_chk.c: Add libc_hidden_def for __memset_chk.
En passant, convert to prototyped function definition and
remove unnecessary #include.
* sysdeps/i386/i586/memset.S
* sysdeps/i386/i686/memset.S
* sysdeps/i386/i686/multiarch/memset.S
* sysdeps/x86_64/memset.S
* sysdeps/x86_64/multiarch/memset.S:
Add libc_hidden_builtin_def for __memset_chk.
* sysdeps/arm/nacl/libc.abilist
* sysdeps/unix/sysv/linux/aarch64/libc.abilist
* sysdeps/unix/sysv/linux/alpha/libc.abilist
* sysdeps/unix/sysv/linux/arm/libc.abilist
* sysdeps/unix/sysv/linux/hppa/libc.abilist
* sysdeps/unix/sysv/linux/i386/libc.abilist
* sysdeps/unix/sysv/linux/ia64/libc.abilist
* sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
* sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
* sysdeps/unix/sysv/linux/microblaze/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
* sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
* sysdeps/unix/sysv/linux/nios2/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
* sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
* sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
* sysdeps/unix/sysv/linux/sh/libc.abilist
* sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
* sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
* sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
* sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
* sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist:
Add GLIBC_2.23 stanza containing explicit_bzero and
__explicit_bzero_chk.
---
debug/Makefile | 1 +
debug/Versions | 3 +
debug/explicit_bzero_chk.c | 28 ++++++
debug/memset_chk.c | 8 +-
debug/tst-chk1.c | 89 ++++++++++++++++++
include/string.h | 4 +
manual/string.texi | 101 +++++++++++++++++++++
string/Makefile | 3 +-
string/Versions | 3 +
string/bits/string2.h | 28 ++++++
string/bits/string3.h | 43 ++++++++-
string/bzero.c | 1 +
string/string.h | 4 +
string/test-explicit_bzero.c | 21 +++++
string/test-memset.c | 10 +-
sysdeps/aarch64/bzero.S | 1 +
sysdeps/alpha/bzero.S | 1 +
sysdeps/arm/nacl/libc.abilist | 4 +
sysdeps/i386/bzero.c | 1 +
sysdeps/i386/i586/bzero.S | 1 +
sysdeps/i386/i586/memset.S | 1 +
sysdeps/i386/i686/bzero.S | 1 +
sysdeps/i386/i686/memset.S | 1 +
sysdeps/i386/i686/multiarch/memset.S | 8 +-
sysdeps/powerpc/powerpc32/bzero.S | 1 +
sysdeps/powerpc/powerpc32/power4/multiarch/bzero.c | 1 +
sysdeps/powerpc/powerpc64/memset.S | 1 +
sysdeps/powerpc/powerpc64/multiarch/bzero.c | 1 +
sysdeps/powerpc/powerpc64/power4/memset.S | 1 +
sysdeps/powerpc/powerpc64/power6/memset.S | 1 +
sysdeps/powerpc/powerpc64/power7/memset.S | 1 +
sysdeps/powerpc/powerpc64/power8/memset.S | 1 +
sysdeps/s390/s390-32/bzero.S | 1 +
sysdeps/s390/s390-64/bzero.S | 1 +
sysdeps/sparc/sparc32/memset.S | 1 +
sysdeps/sparc/sparc64/memset.S | 1 +
sysdeps/sparc/sparc64/multiarch/memset.S | 1 +
sysdeps/tile/bzero.S | 1 +
sysdeps/unix/sysv/linux/aarch64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/alpha/libc.abilist | 4 +
sysdeps/unix/sysv/linux/arm/libc.abilist | 4 +
sysdeps/unix/sysv/linux/hppa/libc.abilist | 4 +
sysdeps/unix/sysv/linux/i386/libc.abilist | 4 +
sysdeps/unix/sysv/linux/ia64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist | 4 +
sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist | 4 +
sysdeps/unix/sysv/linux/microblaze/libc.abilist | 4 +
.../unix/sysv/linux/mips/mips32/fpu/libc.abilist | 4 +
.../unix/sysv/linux/mips/mips32/nofpu/libc.abilist | 4 +
.../unix/sysv/linux/mips/mips64/n32/libc.abilist | 4 +
.../unix/sysv/linux/mips/mips64/n64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/nios2/libc.abilist | 4 +
.../sysv/linux/powerpc/powerpc32/fpu/libc.abilist | 4 +
.../linux/powerpc/powerpc32/nofpu/libc.abilist | 4 +
.../sysv/linux/powerpc/powerpc64/libc-le.abilist | 4 +
.../unix/sysv/linux/powerpc/powerpc64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist | 4 +
sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/sh/libc.abilist | 4 +
sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist | 4 +
sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist | 4 +
.../sysv/linux/tile/tilegx/tilegx32/libc.abilist | 4 +
.../sysv/linux/tile/tilegx/tilegx64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist | 4 +
sysdeps/unix/sysv/linux/x86_64/64/libc.abilist | 4 +
sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist | 4 +
sysdeps/x86_64/memset.S | 2 +
sysdeps/x86_64/multiarch/memset.S | 2 +-
68 files changed, 479 insertions(+), 17 deletions(-)
create mode 100644 debug/explicit_bzero_chk.c
create mode 100644 string/test-explicit_bzero.c
@@ -29,6 +29,7 @@ headers := execinfo.h
# build, its _FORTIFY_SOURCE support will be too.
routines = backtrace backtracesyms backtracesymsfd noophooks \
memcpy_chk memmove_chk mempcpy_chk memset_chk stpcpy_chk \
+ explicit_bzero_chk \
strcat_chk strcpy_chk strncat_chk strncpy_chk stpncpy_chk \
sprintf_chk vsprintf_chk snprintf_chk vsnprintf_chk \
printf_chk fprintf_chk vprintf_chk vfprintf_chk \
@@ -55,6 +55,9 @@ libc {
GLIBC_2.16 {
__poll_chk; __ppoll_chk;
}
+ GLIBC_2.23 {
+ __explicit_bzero_chk;
+ }
GLIBC_PRIVATE {
__fortify_fail;
}
new file mode 100644
@@ -0,0 +1,28 @@
+/* Copyright (C) 1991-2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <string.h>
+
+/* This has to be an exported symbol, unlike for plain bzero, because
+ bits/string3.h cannot always optimize explicit_bzero to memset.
+ See comments there, and "Erasing Sensitive Data" in the manual. */
+
+void
+__explicit_bzero_chk (void *dstpp, size_t len, size_t dstlen)
+{
+ (void) __memset_chk (dstpp, 0, len, dstlen);
+}
@@ -16,17 +16,13 @@
<http://www.gnu.org/licenses/>. */
#include <string.h>
-#include <memcopy.h>
void *
-__memset_chk (dstpp, c, len, dstlen)
- void *dstpp;
- int c;
- size_t len;
- size_t dstlen;
+__memset_chk (void *dstpp, int c, size_t len, size_t dstlen)
{
if (__glibc_unlikely (dstlen < len))
__chk_fail ();
return memset (dstpp, c, len);
}
+libc_hidden_def (__memset_chk)
@@ -143,6 +143,11 @@ do_test (void)
if (memcmp (buf, "aabcdefghi", 10))
FAIL ();
+ memcpy (buf, "abcdefghij", 10);
+ bcopy (buf, buf + 1, 9);
+ if (memcmp (buf, "aabcdefghi", 10))
+ FAIL ();
+
if (mempcpy (buf + 5, "abcde", 5) != buf + 10
|| memcmp (buf, "aabcdabcde", 10))
FAIL ();
@@ -151,6 +156,14 @@ do_test (void)
if (memcmp (buf, "aabcdabcjj", 10))
FAIL ();
+ bzero (buf + 8, 2);
+ if (memcmp (buf, "aabcdabc\0\0", 10))
+ FAIL ();
+
+ explicit_bzero (buf + 6, 4);
+ if (memcmp (buf, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
strcpy (buf + 4, "EDCBA");
if (memcmp (buf, "aabcEDCBA", 10))
FAIL ();
@@ -175,6 +188,11 @@ do_test (void)
if (memcmp (buf, "aabcdefghi", 10))
FAIL ();
+ memcpy (buf, "abcdefghij", l0 + 10);
+ bcopy (buf, buf + 1, l0 + 9);
+ if (memcmp (buf, "aabcdefghi", 10))
+ FAIL ();
+
if (mempcpy (buf + 5, "abcde", l0 + 5) != buf + 10
|| memcmp (buf, "aabcdabcde", 10))
FAIL ();
@@ -183,6 +201,14 @@ do_test (void)
if (memcmp (buf, "aabcdabcjj", 10))
FAIL ();
+ bzero (buf + 8, l0 + 2);
+ if (memcmp (buf, "aabcdabc\0\0", 10))
+ FAIL ();
+
+ explicit_bzero (buf + 6, l0 + 4);
+ if (memcmp (buf, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
strcpy (buf + 4, str1 + 5);
if (memcmp (buf, "aabcEDCBA", 10))
FAIL ();
@@ -214,11 +240,18 @@ do_test (void)
if (memcmp (buf, "aabcEcdZY", 10))
FAIL ();
+ /* The following tests are supposed to succeed at all fortify
+ levels, even though they overflow a.buf1 into a.buf2. */
memcpy (a.buf1, "abcdefghij", l0 + 10);
memmove (a.buf1 + 1, a.buf1, l0 + 9);
if (memcmp (a.buf1, "aabcdefghi", 10))
FAIL ();
+ memcpy (a.buf1, "abcdefghij", l0 + 10);
+ bcopy (a.buf1, a.buf1 + 1, l0 + 9);
+ if (memcmp (a.buf1, "aabcdefghi", 10))
+ FAIL ();
+
if (mempcpy (a.buf1 + 5, "abcde", l0 + 5) != a.buf1 + 10
|| memcmp (a.buf1, "aabcdabcde", 10))
FAIL ();
@@ -227,6 +260,14 @@ do_test (void)
if (memcmp (a.buf1, "aabcdabcjj", 10))
FAIL ();
+ bzero (a.buf1 + 8, l0 + 2);
+ if (memcmp (a.buf1, "aabcdabc\0\0", 10))
+ FAIL ();
+
+ explicit_bzero (a.buf1 + 6, l0 + 4);
+ if (memcmp (a.buf1, "aabcda\0\0\0\0", 10))
+ FAIL ();
+
#if __USE_FORTIFY_LEVEL < 2
/* The following tests are supposed to crash with -D_FORTIFY_SOURCE=2
and sufficient GCC support, as the string operations overflow
@@ -285,6 +326,14 @@ do_test (void)
CHK_FAIL_END
CHK_FAIL_START
+ bcopy (buf + 1, buf + 2, 9);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ bcopy (buf + 1, buf + 2, l0 + 9);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
p = (char *) mempcpy (buf + 6, "abcde", 5);
CHK_FAIL_END
@@ -301,6 +350,22 @@ do_test (void)
CHK_FAIL_END
CHK_FAIL_START
+ bzero (buf + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ bzero (buf + 9, l0 + 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (buf + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (buf + 9, l0 + 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
strcpy (buf + 5, str1 + 5);
CHK_FAIL_END
@@ -378,6 +443,14 @@ do_test (void)
CHK_FAIL_END
CHK_FAIL_START
+ bcopy (a.buf1 + 1, a.buf1 + 2, 9);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ bcopy (a.buf1 + 1, a.buf1 + 2, l0 + 9);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
p = (char *) mempcpy (a.buf1 + 6, "abcde", 5);
CHK_FAIL_END
@@ -393,6 +466,22 @@ do_test (void)
memset (a.buf1 + 9, 'j', l0 + 2);
CHK_FAIL_END
+ CHK_FAIL_START
+ bzero (a.buf1 + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ bzero (a.buf1 + 9, l0 + 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (a.buf1 + 9, 2);
+ CHK_FAIL_END
+
+ CHK_FAIL_START
+ explicit_bzero (a.buf1 + 9, l0 + 2);
+ CHK_FAIL_END
+
# if __USE_FORTIFY_LEVEL >= 2
# define O 0
# else
@@ -160,6 +160,10 @@ extern char *__strcat_chk (char *__restrict __dest,
extern char *__strncat_chk (char *__restrict __dest,
const char *__restrict __src,
size_t __len, size_t __destlen) __THROW;
+
+/* Used by __explicit_bzero_chk. */
+libc_hidden_proto (__memset_chk)
+
#endif
#endif
@@ -33,6 +33,8 @@ too.
* Search Functions:: Searching for a specific element or substring.
* Finding Tokens in a String:: Splitting a string into tokens by looking
for delimiters.
+* Erasing Sensitive Data:: Clearing memory which contains sensitive
+ data, after it's no longer needed.
* strfry:: Function for flash-cooking a string.
* Trivial Encryption:: Obscuring data.
* Encode Binary Data:: Encoding and Decoding of Binary Data.
@@ -2303,6 +2305,105 @@ contains no '/' characters, then "." is returned. The prototype for this
function can be found in @file{libgen.h}.
@end deftypefun
+@node Erasing Sensitive Data
+@section Erasing Sensitive Data
+
+It is sometimes necessary to make sure that a block of data in memory
+is erased after use, even if no correct C program could access it
+again. For instance, a cryptographic key should not be allowed to
+survive on the stack after the program is finished using it, because
+there might be a bug that causes junk stack data, including the key,
+to be revealed to the outside world. @code{memset} and @code{bzero}
+are not safe to use for this, because the C compiler knows what they
+do, and can delete ``unnecessary'' calls to them. For this situation,
+@theglibc{} provides @code{explicit_bzero}, which is functionally
+identical to @code{bzero}, except that the C compiler will @emph{not}
+delete apparently-unnecessary calls.
+
+@comment string.h
+@comment BSD
+@deftypefun void explicit_bzero (void *@var{block}, size_t @var{len})
+@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
+
+@code{explicit_bzero} writes zero into each of the first @var{len}
+bytes of the object beginning at @var{block}, just as @code{bzero}
+would. The compiler will not delete a call to this function, even
+if the object beginning at @var{block} is never referred to again.
+
+@smallexample
+#include <string.h>
+
+extern void encrypt (const char *key, const char *in,
+ char *out, size_t n);
+extern void genkey (const char *phrase, char *key);
+
+void encrypt_with_phrase (const char *phrase, const char *in,
+ char *out, size_t n)
+@{
+ char key[16];
+ genkey (phrase, key);
+ encrypt (key, in, out, n);
+ explicit_bzero (key, 16);
+@}
+@end smallexample
+
+@noindent
+If @code{bzero} or @code{memset} had been used in this function, the C
+compiler might remove it as unnecessary, but it will not do this with
+@code{explicit_bzero}.
+
+@strong{Warning:} The @emph{only} optimization disabled by
+@code{explicit_bzero} is removal of ``unnecessary'' calls. In all
+other respects, the compiler is allowed to optimize as it would for
+@code{memset}. For instance, it may deduce that @var{block} cannot be
+a null pointer, and propagate this information both forward and
+backward in control flow.
+
+@strong{Warning:} The compiler is free to make additional copies of
+any object, or parts of it, in temporary storage areas (such as
+registers and ``scratch'' stack space). @code{explicit_bzero} does
+not guarantee that temporary copies of sensitive data are destroyed.
+In fact, in some situations, using @code{explicit_bzero} will
+@emph{cause} creation of an additional copy, and only that copy will
+be cleared:
+
+@smallexample
+#include <string.h>
+
+struct key @{
+ unsigned long long low;
+ unsigned long long high;
+@};
+
+struct key get_key(void);
+void use_key(struct key);
+
+void
+with_clear(void)
+@{
+ struct key k;
+ k = get_key();
+ use_key(k);
+ explicit_bzero(&k, sizeof(k));
+@}
+@end smallexample
+
+@noindent
+Without the call to @code{explicit_bzero}, @var{k} might not need to
+be stored in memory: depending on the ABI, its value could be returned
+from @code{get_key} and passed to @code{use_key} using only CPU
+registers. @code{explicit_bzero} operates on memory, so the compiler
+has to make a copy of @var{k} in memory for it, and the copy in the
+CPU registers remains intact. This can occur for any variable whose
+address is only taken in a call to @code{explicit_bzero}, even if it
+might seem ``too large'' to be stored in registers.
+
+@strong{Portability Note:} This function first appeared in OpenBSD 5.5
+and has not been standardized. @Theglibc{} declares this function in
+@file{string.h}, but on other systems it may be in @file{strings.h}
+instead.
+@end deftypefun
+
@node strfry
@section strfry
@@ -47,7 +47,8 @@ strop-tests := memchr memcmp memcpy memmove mempcpy memset memccpy \
stpcpy stpncpy strcat strchr strcmp strcpy strcspn \
strlen strncmp strncpy strpbrk strrchr strspn memmem \
strstr strcasestr strnlen strcasecmp strncasecmp \
- strncat rawmemchr strchrnul bcopy bzero memrchr
+ strncat rawmemchr strchrnul bcopy bzero memrchr \
+ explicit_bzero
tests := tester inl-tester noinl-tester testcopy test-ffs \
tst-strlen stratcliff tst-svc tst-inlcall \
bug-strncat1 bug-strspn1 bug-strpbrk1 tst-bswap \
@@ -80,4 +80,7 @@ libc {
GLIBC_2.6 {
strerror_l;
}
+ GLIBC_2.23 {
+ explicit_bzero;
+ }
}
@@ -194,6 +194,34 @@ __STRING2_COPY_TYPE (8);
# define __bzero(s, n) __builtin_memset (s, '\0', n)
# endif
+#endif /* !_HAVE_STRING_ARCH_memset */
+
+/* explicit_bzero can be optimized to memset plus a vacuous (but
+ non-deletable) use of the memory region, thus enabling all the
+ usual memset optimizations.
+
+ The __asm__ construct used below is known to work with GCC 4 and
+ later, when the size of the memory region is constant. It's not
+ documented to work otherwise. Moreover, even when guarded by
+ __builtin_constant_p, 'struct {char __x[n];}', where 'n' isn't
+ _syntactically_ an integer constant expression, is a hard error for
+ GCC when compiling C++, and a hard error for clang in both C and C++. */
+
+#ifdef __USE_MISC
+# if __GNUC_PREREQ (4, 0) && !defined __clang__ && !defined __cplusplus
+__STRING_INLINE void
+__explicit_bzero_constn (void *__s, size_t __n)
+{
+ typedef struct {char __x[__n];} __memblk;
+ memset (__s, 0, __n);
+ __asm__ ("" : : "m" (*(__memblk __attribute__ ((__may_alias__)) *)__s));
+}
+
+# define explicit_bzero(s, n) \
+ (__extension__ (__builtin_constant_p (n) && (n) > 0 \
+ ? __explicit_bzero_constn (s, n) \
+ : explicit_bzero (s, n)))
+# endif
#endif
@@ -42,10 +42,10 @@ __warndecl (__warn_memset_zero_len,
# ifdef __USE_MISC
# undef bcopy
# undef bzero
+# undef explicit_bzero
# endif
#endif
-
__fortify_function void *
__NTH (memcpy (void *__restrict __dest, const void *__restrict __src,
size_t __len))
@@ -68,7 +68,6 @@ __NTH (mempcpy (void *__restrict __dest, const void *__restrict __src,
}
#endif
-
/* The first two tests here help to catch a somewhat common problem
where the second and third parameter are transposed. This is
especially problematic if the intended fill value is zero. In this
@@ -102,6 +101,43 @@ __NTH (bzero (void *__dest, size_t __len))
{
(void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
}
+
+/* XXX We have no corresponding builtin yet.
+
+ __explicit_bzero_chk can be optimized to __builtin___memset_chk
+ plus a vacuous (but non-deletable) use of the memory region, thus
+ enabling all the usual memset optimizations.
+
+ The __asm__ construct used below is known to work with GCC 4 and
+ later, when the size of the memory region is constant. It's not
+ documented to work otherwise. Moreover, even when guarded by
+ __builtin_constant_p, 'struct {char __x[n];}', where 'n' isn't
+ _syntactically_ an integer constant expression, is a hard error for
+ GCC when compiling C++, and a hard error for clang in both C and C++. */
+
+extern void __explicit_bzero_chk (void *__dest, size_t __len, size_t __dstlen);
+extern void __REDIRECT_NTH (__explicit_bzero_alias,
+ (void *__dest, size_t __len),
+ explicit_bzero);
+
+__fortify_function void
+__NTH (explicit_bzero (void *__dest, size_t __len))
+{
+# if __GNUC_PREREQ (4, 0) && !defined __clang__ && !defined __cplusplus
+ if (__builtin_constant_p (__len) && __len > 0)
+ {
+ (void) __builtin___memset_chk (__dest, '\0', __len, __bos0 (__dest));
+ typedef struct { char __x[__len]; } __memblk;
+ __asm__ ("" :: "m" (*(__memblk __attribute__ ((__may_alias__)) *)__dest));
+ }
+ else
+# endif
+ if (__bos0 (__dest) != (size_t) -1
+ && (!__builtin_constant_p (__len) || __len > __bos0 (__dest)))
+ __explicit_bzero_chk (__dest, __len, __bos0 (__dest));
+ else
+ __explicit_bzero_alias (__dest, __len);
+}
#endif
__fortify_function char *
@@ -118,7 +154,6 @@ __NTH (stpcpy (char *__restrict __dest, const char *__restrict __src))
}
#endif
-
__fortify_function char *
__NTH (strncpy (char *__restrict __dest, const char *__restrict __src,
size_t __len))
@@ -141,14 +176,12 @@ __NTH (stpncpy (char *__dest, const char *__src, size_t __n))
return __stpncpy_alias (__dest, __src, __n);
}
-
__fortify_function char *
__NTH (strcat (char *__restrict __dest, const char *__restrict __src))
{
return __builtin___strcat_chk (__dest, __src, __bos (__dest));
}
-
__fortify_function char *
__NTH (strncat (char *__restrict __dest, const char *__restrict __src,
size_t __len))
@@ -27,3 +27,4 @@ __bzero (void *s, size_t len)
memset (s, '\0', len);
}
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -453,6 +453,10 @@ extern void bcopy (const void *__src, void *__dest, size_t __n)
/* Set N bytes of S to 0. */
extern void bzero (void *__s, size_t __n) __THROW __nonnull ((1));
+/* As bzero, but the compiler will not delete a call to this
+ function, even if S is dead after the call. */
+extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1));
+
/* Compare N bytes of S1 and S2 (same as memcmp). */
extern int bcmp (const void *__s1, const void *__s2, size_t __n)
__THROW __attribute_pure__ __nonnull ((1, 2));
new file mode 100644
@@ -0,0 +1,21 @@
+/* Test and measure explicit_bzero.
+ Copyright (C) 2012-2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#define TEST_EXPLICIT_BZERO
+#define TEST_BZERO
+#include "test-memset.c"
@@ -19,7 +19,11 @@
#define TEST_MAIN
#ifdef TEST_BZERO
-# define TEST_NAME "bzero"
+# ifdef TEST_EXPLICIT_BZERO
+# define TEST_NAME "explicit_bzero"
+# else
+# define TEST_NAME "bzero"
+# endif
#else
# define TEST_NAME "memset"
#endif
@@ -35,7 +39,11 @@ void builtin_bzero (char *, size_t);
IMPL (simple_bzero, 0)
IMPL (builtin_bzero, 0)
+#ifdef TEST_EXPLICIT_BZERO
+IMPL (explicit_bzero, 1)
+#else
IMPL (bzero, 1)
+#endif
void
simple_bzero (char *s, size_t n)
@@ -25,3 +25,4 @@ ENTRY(__bzero)
b __memset
END(__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -108,3 +108,4 @@ $done: ret
cfi_endproc
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -1835,3 +1835,7 @@ GLIBC_2.22
write F
writev F
wscanf F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -76,6 +76,7 @@ __bzero (dstpp, len)
"memory");
}
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#else
#include <string/bzero.c>
@@ -1,3 +1,4 @@
#define memset __bzero
#include <sysdeps/i386/i586/memset.S>
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -119,3 +119,4 @@ L(2): shrl $2, %ecx /* convert byte count to longword count */
#endif
END (memset)
libc_hidden_builtin_def (memset)
+libc_hidden_builtin_def (__memset_chk)
@@ -1,3 +1,4 @@
#define memset __bzero
#include <sysdeps/i386/i686/memset.S>
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -98,6 +98,7 @@ ENTRY (memset)
#endif
END (memset)
libc_hidden_builtin_def (memset)
+libc_hidden_builtin_def (__memset_chk)
#if defined PIC && IS_IN (libc) && !BZERO_P
strong_alias (__memset_chk, __memset_zero_constant_len_parameter)
@@ -63,9 +63,11 @@ END(memset)
# undef libc_hidden_builtin_def
/* IFUNC doesn't work with the hidden functions in shared library since
they will be called without setting up EBX needed for PLT which is
- used by IFUNC. */
-# define libc_hidden_builtin_def(name) \
- .globl __GI_memset; __GI_memset = __memset_ia32
+ used by IFUNC. ../memset.S will barf if we #define memset, so we
+ must instead create the necessary __GI_ symbols manually. */
+# define libc_hidden_builtin_def(name) /* disable */
+ .globl __GI_memset; __GI_memset = __memset_ia32
+ .globl __GI___memset_chk; __GI__memset_chk = __memset_chk_ia32
# endif
# undef strong_alias
@@ -25,3 +25,4 @@ ENTRY (__bzero)
b memset@local
END (__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -34,4 +34,5 @@ libc_ifunc (__bzero,
: __bzero_ppc);
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -258,4 +258,5 @@ ENTRY (__bzero)
END_GEN_TB (__bzero,TB_TOCLESS)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -40,4 +40,5 @@ libc_ifunc (__bzero,
: __bzero_ppc);
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -245,4 +245,5 @@ ENTRY (__bzero)
END (__bzero)
#ifndef __bzero
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -389,4 +389,5 @@ ENTRY (__bzero)
END (__bzero)
#ifndef __bzero
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -393,4 +393,5 @@ ENTRY (__bzero)
END (__bzero)
#ifndef __bzero
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -451,4 +451,5 @@ ENTRY (__bzero)
END (__bzero)
#ifndef __bzero
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -39,4 +39,5 @@ END(__bzero)
#ifndef NO_WEAK_ALIAS
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -38,4 +38,5 @@ END(__bzero)
#ifndef NO_WEAK_ALIAS
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
#endif
@@ -152,3 +152,4 @@ END(memset)
libc_hidden_builtin_def (memset)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -312,3 +312,4 @@ ENTRY(__bzero)
END(__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -107,6 +107,7 @@ ENTRY(__bzero)
END(__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
# undef weak_alias
# define weak_alias(a, b)
@@ -28,3 +28,4 @@ ENTRY(__bzero)
j __memset
END(__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
@@ -2084,3 +2084,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -1825,6 +1825,10 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.2
GLIBC_2.2 A
_IO_adjust_wcolumn F
@@ -92,6 +92,10 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.4
GLIBC_2.4 A
_Exit F
@@ -98,6 +98,10 @@ GLIBC_2.19
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.2
GLIBC_2.2 A
_Exit F
@@ -2026,6 +2026,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1884,6 +1884,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -93,6 +93,10 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.4
GLIBC_2.4 A
_Exit F
@@ -1982,6 +1982,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -2083,3 +2083,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -1954,6 +1954,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1952,6 +1952,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1950,6 +1950,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1944,6 +1944,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -2124,3 +2124,7 @@ GLIBC_2.21
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -1986,6 +1986,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1992,6 +1992,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -2172,3 +2172,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -93,6 +93,10 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
_Exit F
@@ -1987,6 +1987,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1883,6 +1883,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1867,6 +1867,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1978,6 +1978,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -1911,6 +1911,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -2094,3 +2094,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -2094,3 +2094,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -2094,3 +2094,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -1857,6 +1857,10 @@ GLIBC_2.2.6
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
GLIBC_2.3
GLIBC_2.3 A
__ctype_b_loc F
@@ -2092,3 +2092,7 @@ GLIBC_2.18
GLIBC_2.22
GLIBC_2.22 A
fmemopen F
+GLIBC_2.23
+ GLIBC_2.23 A
+ __explicit_bzero_chk F
+ explicit_bzero F
@@ -28,6 +28,7 @@ ENTRY(__bzero)
jmp L(entry_from_bzero)
END(__bzero)
weak_alias (__bzero, bzero)
+weak_alias (__bzero, explicit_bzero)
/* Like memset but takes additional parameter with return value. */
ENTRY(__memset_tail)
@@ -124,6 +125,7 @@ L(between8_16bytes):
END (memset)
libc_hidden_builtin_def (memset)
+libc_hidden_builtin_def (__memset_chk)
#if defined PIC && IS_IN (libc) && !defined USE_MULTIARCH
strong_alias (__memset_chk, __memset_zero_constant_len_parameter)
@@ -48,7 +48,7 @@ END(memset)
The speedup we get from using GPR instruction is likely eaten away
by the indirect call in the PLT. */
# define libc_hidden_builtin_def(name) \
- .globl __GI_memset; __GI_memset = __memset_sse2
+ .globl __GI_##name; __GI_##name = name
# endif
# undef strong_alias
--
2.5.1