On 2019-07-05 23:02, Thomas Munro wrote: > On Sat, Jul 6, 2019 at 1:07 AM Peter Eisentraut > <peter.eisentr...@2ndquadrant.com> wrote: >> On 2019-07-05 14:06, Thomas Munro wrote: >>> +#ifndef HAVE_EXPLICIT_BZERO >>> +#define explicit_bzero(b, len) memset(b, 0, len) >>> +#endif >>> >>> I noticed some other libraries use memset through a function pointer >>> or at least define a function the compiler can't see. >> >> I don't understand what you are getting at here. > > Do we want to provide a replacement implementation that actually > prevents the compiler from generating no code in some circumstances? > Then I think we need at least a function defined in another > translation unit so the compiler can't see what it does, no?
I see. My premise, which should perhaps be explained in a comment at least, is that on an operating system that does not provide explicit_bzero() (or an obvious alternative), we don't care about addressing this particular security concern, since the rest of the operating system won't be secure in this way either. It shouldn't be our job to fight this battle if the rest of the OS doesn't care. An alternative patch would define explicit_bzero() to nothing if not available. But that might create bugs if subsequent code relies on the memory being zeroed, independent of security concerns, so I changed it to use memset() so that at least logically both code paths are the same. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services