https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89201
Bug ID: 89201
Summary: Secret/Necessary memset() is Eliminated when Compiling
at -O1/O2/O3 (Insecure Compiler Optimization)
Product: gcc
Version: 8.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: zhan3299 at purdue dot edu
Target Milestone: ---
For secure programing, sensitive information located at heap, e.g password,
should be cleared before freeing it. (More information could be referenced to
https://www.owasp.org/index.php/Insecure_Compiler_Optimization .) Following
code showed how to use memset() to avoid infoleak.
However, when gcc compiles at option -O1/O2/O3, such functions will be
eliminated. As -O2 option is widely used, it might generate a series of secret
problems.
$ cat test.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
int n;
char *password;
char *otherthing;
// Get password
puts("Input your password's size:");
if (scanf("%d", &n) != 1) {
exit(-1);
}
puts("Input your password:");
password = malloc(n);
if (read(0, password, n - 1) < 0) {
exit(-1);
}
puts("Get it, please do not tell anyone else");
// Play with password
// ...
// <Ignore ... for short>
// ...
// Clear password
memset(password, '\x00', n); // Memset will be eliminated with option
-O1/O2/O3
free(password);
// Info leak
otherthing = malloc(n);
for (int i = 0; i < n; i++) {
printf("%c", otherthing[i]);
}
puts("");
}
When compiling at option -O0, the result goes like:
$ gcc test.c -Wall -Wextra -O0
$ ./a.out
Input your password's size:
48
Input your password:
This is my secret key
Get it, please do not tell any other
When compiling at option -O1, the result goes like:
$ gcc test.c -Wall -Wextra -O1
$ ./a.out
Input your password's size:
48
Input your password:
This is my secret key
Get it, please do not tell any other
my secret key
More information is here:
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu
7.3.0-27ubuntu1~18.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr
--with-gcc-major-version-only --program-suffix=-7
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
I also test the result in Compiler Explorer (https://godbolt.org/). It would
influence gcc version from 5.1 to 8.2, gcc (trunk) is also included.
