Re: [SSSD] [PATCH 2/4] Add function to safely wipe memory.

Mon, 03 Dec 2012 12:13:19 -0800 

On Mon, 2012-12-03 at 15:34 +0100, Pavel Březina wrote:
> On 12/02/2012 05:59 AM, Simo Sorce wrote:
> > This is useful for wiping passwords, as it prevents the compiler from
> > optimizing out a memset to zero before a free()
> > ---
> >   src/util/util.c |    9 +++++++++
> >   src/util/util.h |    9 +++++++++
> >   2 files changed, 18 insertions(+), 0 deletions(-)
> >
> > diff --git a/src/util/util.c b/src/util/util.c
> > index 
> > ab980775a1e4c87b16d32220bccda6cb644e0756..f268fbcd564cd93a2e63097c595cf19b65eb6800
> >  100644
> > --- a/src/util/util.c
> > +++ b/src/util/util.c
> > @@ -700,3 +700,12 @@ bool string_in_list(const char *string, char **list, 
> > bool case_sensitive)
> >
> >       return false;
> >   }
> > +
> > +void safezero(void *data, size_t size)
> > +{
> > +    volatile uint8_t *p = data;
> > +
> > +    while (size--) {
> > +        *p++ = 0;
> > +    }
> > +}
> > diff --git a/src/util/util.h b/src/util/util.h
> > index 
> > c15ca668392105447d073c40666953a0145d375a..1c5f3fc52292e251bf7b8ad4d5b03a9d8a0a3243
> >  100644
> > --- a/src/util/util.h
> > +++ b/src/util/util.h
> > @@ -540,6 +540,15 @@ errno_t add_string_to_list(TALLOC_CTX *mem_ctx, const 
> > char *string,
> >
> >   bool string_in_list(const char *string, char **list, bool case_sensitive);
> >
> > +/**
> > + * @brief Safely zero a segment of memory,
> > + *        prevents the compiler from optimizing out
> > + *
> > + * @param data   The address of buffer to wipe
> > + * @param s      Size of the buffer
> > + */
> > +void safezero(void *data, size_t size);
> > +
> >   /* from sss_tc_utf8.c */
> >   char *
> >   sss_tc_utf8_str_tolower(TALLOC_CTX *mem_ctx, const char *s);
> >
> 
> Why didn't you use memset?

Memset is optimized away by most compilers when it is followed by a
free(), because it is a useless operation 'normally'.
However we use this function to make *sure* we overwrite this memory as
we do not want to leave passwords in memory for longer than needed.
Should a core be dumped we will leave as little as possible in the core
file.
In order to make sure compilers do not optimized it out we need this
special function that uses volatile so the compiler is forbidden from
optimizing it out.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to