From 672fc9fc4d20d06810a66aa6133a94a0565eae05 Mon Sep 17 00:00:00 2001 From: Yawning Angel Date: Sun, 31 Oct 2021 21:41:39 +0000 Subject: [PATCH] core/mem: Add zero_explicit This call is intended to provide the ability to securely scrub memory without compiler interference, in a similar manner to explicit_bzero, memset_s, SecureZeroMemory. The approach taken is a volatile memset followed by a seqentially consistent memory fence, to prevent the call from being optimized away by DSE, and from being reordered. An identical approach is currently being used by the zeroize Rust crate, and is effective in practice. LLVM IR output: ``` ; Function Attrs: nounwind define internal i8* @mem.zero_explicit(i8* %0, i64 %1) #0 { decls: call void @llvm.memset.p0i8.i64(i8* %0, i8 0, i64 %1, i1 true) fence seq_cst ret i8* %0 } ``` --- core/mem/mem.odin | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/core/mem/mem.odin b/core/mem/mem.odin index 29d124e42..8eb877e75 100644 --- a/core/mem/mem.odin +++ b/core/mem/mem.odin @@ -10,6 +10,15 @@ zero :: proc "contextless" (data: rawptr, len: int) -> rawptr { intrinsics.mem_zero(data, len) return data } +zero_explicit :: proc "contextless" (data: rawptr, len: int) -> rawptr { + // This routine tries to avoid the compiler optimizing away the call, + // so that it is always executed. It is intended to provided + // equivalent semantics to those provided by the C11 Annex K 3.7.4.1 + // memset_s call. + intrinsics.mem_zero_volatile(data, len) // Use the volatile mem_zero + intrinsics.atomic_fence() // Prevent reordering + return data +} zero_item :: proc "contextless" (item: $P/^$T) { intrinsics.mem_zero(item, size_of(T)) }