Re: using explicit_bzero

On 2019-07-05 23:02, Thomas Munro wrote:
> On Sat, Jul 6, 2019 at 1:07 AM Peter Eisentraut
> <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>> On 2019-07-05 14:06, Thomas Munro wrote:
>>> +#ifndef HAVE_EXPLICIT_BZERO
>>> +#define explicit_bzero(b, len) memset(b, 0, len)
>>> +#endif
>>>
>>> I noticed some other libraries use memset through a function pointer
>>> or at least define a function the compiler can't see.
>>
>> I don't understand what you are getting at here.
>
> Do we want to provide a replacement implementation that actually
> prevents the compiler from generating no code in some circumstances?
> Then I think we need at least a function defined in another
> translation unit so the compiler can't see what it does, no?

I see. My premise, which should perhaps be explained in a comment at
least, is that on an operating system that does not provide
explicit_bzero() (or an obvious alternative), we don't care about
addressing this particular security concern, since the rest of the
operating system won't be secure in this way either. It shouldn't be
our job to fight this battle if the rest of the OS doesn't care.

An alternative patch would define explicit_bzero() to nothing if not
available. But that might create bugs if subsequent code relies on the
memory being zeroed, independent of security concerns, so I changed it
to use memset() so that at least logically both code paths are the same.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services