From mboxrd@z Thu Jan 1 00:00:00 1970 From: Waiman Long Date: Tue, 16 Jun 2020 13:05:00 +0000 Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree() Message-Id: <56c2304c-73cc-8f48-d8d0-5dd6c39f33f3@redhat.com> List-Id: References: <20200616015718.7812-1-longman@redhat.com> <20200616015718.7812-2-longman@redhat.com> <20200616033035.GB902@sol.localdomain> In-Reply-To: <20200616033035.GB902@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Eric Biggers Cc: "Jason A . Donenfeld" , Michal Hocko , linux-btrfs@vger.kernel.org, Jarkko Sakkinen , David Sterba , David Howells , linux-mm@kvack.org, linux-sctp@vger.kernel.org, keyrings@vger.kernel.org, kasan-dev@googlegroups.com, linux-stm32@st-md-mailman.stormreply.com, devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org, linux-scsi@vger.kernel.org, James Morris , Matthew Wilcox , linux-wpan@vger.kernel.org, David Rientjes , Dan Carpenter , linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-amlogic@lists.infradead.org, virtualization@lists.linux-foundation.org, linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-security-module@vger.kernel.org, target-devel@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-crypto@vger.kernel.org, Johannes Weiner , Joe Perches , Andrew Morton , Linus Torvalds , netdev@vger.kernel.org, wireguard@lists.zx2c4.com, linux-ppp@vger.kernel.org On 6/15/20 11:30 PM, Eric Biggers wrote: > On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote: >> The kzfree() function is normally used to clear some sensitive >> information, like encryption keys, in the buffer before freeing it back >> to the pool. Memset() is currently used for the buffer clearing. However, >> it is entirely possible that the compiler may choose to optimize away the >> memory clearing especially if LTO is being used. To make sure that this >> optimization will not happen, memzero_explicit(), which is introduced >> in v3.18, is now used in kzfree() to do the clearing. >> >> Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()") >> Cc: stable@vger.kernel.org >> Signed-off-by: Waiman Long >> --- >> mm/slab_common.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/slab_common.c b/mm/slab_common.c >> index 9e72ba224175..37d48a56431d 100644 >> --- a/mm/slab_common.c >> +++ b/mm/slab_common.c >> @@ -1726,7 +1726,7 @@ void kzfree(const void *p) >> if (unlikely(ZERO_OR_NULL_PTR(mem))) >> return; >> ks = ksize(mem); >> - memset(mem, 0, ks); >> + memzero_explicit(mem, ks); >> kfree(mem); >> } >> EXPORT_SYMBOL(kzfree); > This is a good change, but the commit message isn't really accurate. AFAIK, no > one has found any case where this memset() gets optimized out. And even with > LTO, it would be virtually impossible due to all the synchronization and global > data structures that kfree() uses. (Remember that this isn't the C standard > function "free()", so the compiler can't assign it any special meaning.) > Not to mention that LTO support isn't actually upstream yet. > > I still agree with the change, but it might be helpful if the commit message > were honest that this is really a hardening measure and about properly conveying > the intent. As-is this sounds like a critical fix, which might confuse people. Yes, I agree that the commit log may look a bit scary. How about the following: The kzfree() function is normally used to clear some sensitive information, like encryption keys, in the buffer before freeing it back to the pool. Memset() is currently used for buffer clearing. However unlikely, there is still a non-zero probability that the compiler may choose to optimize away the memory clearing especially if LTO is being used in the future. To make sure that this optimization will never happen, memzero_explicit(), which is introduced in v3.18, is now used in kzfree() to future-proof it. Cheers, Longman