[cfe-dev] [RFC] volatile mem* builtins
JF Bastien via cfe-dev
cfe-dev at lists.llvm.org
Wed May 6 15:40:43 PDT 2020
Hi fans of volatility!
I’d like to add volatile overloads to mem* builtins, and authored a patch: https://reviews.llvm.org/D79279 <https://reviews.llvm.org/D79279>
The mem* builtins are often used (or should be used) in places where time-of-check time-of-use security issues are important (e.g. copying from untrusted buffers), because it prevents multiple reads / multiple writes from occurring at the untrusted memory location. The current builtins don't accept volatile pointee parameters in C++, and merely warn about such parameters in C, which leads to confusion. In these settings, it's useful to overload the builtin and permit volatile pointee parameters. The code generation then directly emits the existing volatile variant of the mem* builtin function call, which ensures that the affected memory location is only accessed once (thereby preventing double-reads under an adversarial memory mapping).
Side-note: yes, ToCToU avoidance is a valid use for volatile <https://wg21.link/p1152r0#uses>.
My patch currently only affects:
There’s a bunch more “mem-like” functions such as bzero, but those 3 are the ones I expect to be used the most at the moment. We can add others later.
John brought up the following: __builtin_memcpy is a library builtin, which means its primary use pattern is #define tricks in the C standard library headers that redirect calls to the memcpy library function. So doing what you're suggesting to __builtin_memcpy is also changing the semantics of memcpy, which is not something we should do lightly. If we were talking about changing a non-library builtin function, or introducing a new builtin, the considerations would be very different.
I can instead add __builtin_volatile_* functions which are overloaded on at least one pointee parameter being volatile.
What do y’all think?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cfe-dev