This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 0/3] explicit_bzero v5

On 11/15/2016 07:02 PM, Paul Eggert wrote:

On 11/15/2016 09:46 AM, Zack Weinberg wrote:


in any scenario where the arguments to explicit_bzero are visible to
malicious code, the adversary has already won.  Those arguments, after
all, are either in registers or on the stack.  If the adversary can
read either of those, they can already learn return addresses.



It's possible that the adversary can read the stack but not registers,
that the object address is already in a register but not in the stack,
and that the call to explicit_bzero copies the address to the stack,
making the address visible to the attacker. Perhaps something like the
following instead?

@strong{Warning:} Calling @code{explicit_bzero} may copy the
the object's address from a register to the stack, thereby exposing
the address to other parts of the program (e.g., another thread),
which may defeat address space layout randomization.
I'm concerned that developers will read all these warnings and use memset instead (or a hand-written loop) because this appears to avoid all these issues. 

Florian
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]