[cfe-dev] Security fail (memset being optimized away)

myLC@gmx.de via cfe-dev cfe-dev at lists.llvm.org
Fri Jan 4 07:41:31 PST 2019


On 1/4/19 3:47 PM, Jonny Grant wrote:
 > ...
> Maybe add an abort()  ?
> 
> eg
> 
> inline void check_memset(void *s, int c, size_t n);
> {
>      const char * buf = (char*)buf;
>      memset(2, 0, n);
> 
>      if(0 != *buf)
>      {
>          abort();
>      }
> }


I'm afraid, that won't cut it either. On the "Compiler Explorer"
website ( https://godbolt.org/ ) you can see that many compilers
implement "their own" inlined version of memset - especially
when you turn on "max optimizations" (-O3). The compiler might
simply decide to only clear the first byte as the rest is not
being access anyhow...


> Or use a for loop to verify all bytes are now 0.

The compiler knows that the buffer has to be all zeros as it
knows, it just cleared it before. This is basically a more
complicated version of:
{
	int a = 0;
	if( a != 0 )
		abort();
}
This can never call abort and will therefore be removed
completely.




More information about the cfe-dev mailing list