[PATCH] libuuid: use explicit_bzero() in uuid_clear() when possible

[PATCH] libuuid: use explicit_bzero() in uuid_clear() when possible

[Sami Kerola]

This ensures value is blanked.  It is possible compiler optimization removed
earlier uuid_clear() calls as unnecessary if value was not used after clear.

Signed-off-by: Sami Kerola <kerolasa@iki.fi>
---
 libuuid/src/clear.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libuuid/src/clear.c b/libuuid/src/clear.c
index 2d91fee93..5b1392464 100644
--- a/libuuid/src/clear.c
+++ b/libuuid/src/clear.c
@@ -38,6 +38,10 @@
 
 void uuid_clear(uuid_t uu)
 {
+#ifdef HAVE_EXPLICIT_BZERO
+	explicit_bzero(uu, 16);
+#else
 	memset(uu, 0, 16);
+#endif
 }
 
-- 
2.14.2

Re: [PATCH] libuuid: use explicit_bzero() in uuid_clear() when possible

[Christoph Hellwig]

On Mon, Oct 16, 2017 at 10:37:34PM +0100, Sami Kerola wrote:
> This ensures value is blanked.  It is possible compiler optimization removed
> earlier uuid_clear() calls as unnecessary if value was not used after clear.

Can you explain the logic behind this a bit more?  If no one uses the
uuid later it doesn't matter if we cleared it or not.

Re: [PATCH] libuuid: use explicit_bzero() in uuid_clear() when possible

[Sami Kerola]

On 18 October 2017 at 08:15, Christoph Hellwig <hch@infradead.org> wrote:
> On Mon, Oct 16, 2017 at 10:37:34PM +0100, Sami Kerola wrote:
>> This ensures value is blanked.  It is possible compiler optimization removed
>> earlier uuid_clear() calls as unnecessary if value was not used after clear.
>
> Can you explain the logic behind this a bit more?  If no one uses the
> uuid later it doesn't matter if we cleared it or not.

When value is not used compiler might deside to remove such clearning
altogether. To me uuid_clear() is promise that the value disappears, and
that is what the function should do. Who knows, maybe someone uses
uuids to something sensitive that must be cleared not to leak secrets.
In that sort of context one really hopes promise of clearing is kept.

-- 
Sami Kerola
http://www.iki.fi/kerolasa/

Re: [PATCH] libuuid: use explicit_bzero() in uuid_clear() when possible

[Christoph Hellwig]

On Mon, Oct 23, 2017 at 08:38:20PM +0100, Sami Kerola wrote:
> > Can you explain the logic behind this a bit more?  If no one uses the
> > uuid later it doesn't matter if we cleared it or not.
> 
> When value is not used compiler might deside to remove such clearning
> altogether. To me uuid_clear() is promise that the value disappears, and
> that is what the function should do. Who knows, maybe someone uses
> uuids to something sensitive that must be cleared not to leak secrets.
> In that sort of context one really hopes promise of clearing is kept.

That's not how uuid_clear is documented.  From the man page:

NAME
       uuid_clear - reset value of UUID variable to the NULL value

SYNOPSIS
       #include <uuid.h>

       void uuid_clear(uuid_t uu);

DESCRIPTION
       The uuid_clear function sets the value of the supplied uuid variable uu to the NULL value.

If the variable isn't used it obviously must not be cleared.