This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 0/3] explicit_bzero v5

On Tue, Nov 15, 2016 at 1:42 PM, Florian Weimer <fweimer@redhat.com> wrote:
> On 11/15/2016 07:02 PM, Paul Eggert wrote:
>> On 11/15/2016 09:46 AM, Zack Weinberg wrote:
>>
>>> in any scenario where the arguments to explicit_bzero are visible to
>>> malicious code, the adversary has already won.  Those arguments, after
>>> all, are either in registers or on the stack.  If the adversary can
>>> read either of those, they can already learn return addresses.
>>
>> It's possible that the adversary can read the stack but not registers

If the adversary can read the stack at all, I suspect they've already
won, no matter what we do.

> I'm concerned that developers will read all these warnings and use memset
> instead (or a hand-written loop) because this appears to avoid all these
> issues.

Yeah, I'm actually worried that the warnings I already wrote are
already too over-the-top.

cc:ing Michael Kerrisk - you write manpages all day, does the
documentation added in
<https://sourceware.org/ml/libc-alpha/2016-11/msg00499.html> look like
it would scare people off using the function at all?

zw
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]