gcc may optimize out memset() calls intended to clear allocated memory
Summary
Per a report to security-officer from Ilja Van Sprundel ivansprundel@ioactive.com, gcc may be optimizing out calls to memset() in some places in the BIND code.
The submitter writes:
Hey,
I stumbled over some potential security issues in dhcp 4.4.1
(this appears to be in some included bind 9 lib directory,
hence it's possible bind is affected too) and figured you
guys want to know about it.
I made a small change to gcc (see attached patch) to report
optimized out calls to memset(), to identify code that tries
to clear memory, but then gets removed by compiler optimization.
it looks like dhcp 4.4.1 has some potential issues that came up:
ilja@ubuntu:~/Downloads/dhcp-4.4.1$ make |& grep -i 'memset'
hmacsha.c:1115: optimized out memset
hmacsha.c:1181: optimized out memset
hmacsha.c:1247: optimized out memset
hmacsha.c:1313: optimized out memset
hmacsha.c:1379: optimized out memset
random.c:351: optimized out memset
sha2.c:880: optimized out memset
sha2.c:1617: optimized out memset
sha2.c:1658: optimized out memset
sha2.c:1699: optimized out memset
sha2.c:1740: optimized out memset
hmac_link.c:310: optimized out memset
hmac_link.c:168: optimized out memset
hmac_link.c:596: optimized out memset
hmac_link.c:454: optimized out memset
hmac_link.c:883: optimized out memset
hmac_link.c:741: optimized out memset
hmac_link.c:1170: optimized out memset
hmac_link.c:1028: optimized out memset
hmac_link.c:1457: optimized out memset
hmac_link.c:1315: optimized out memset
hmac_link.c:1744: optimized out memset
hmac_link.c:1602: optimized out memset
dns.c:342: optimized out memset
dns.c:508: optimized out memset
ilja@ubuntu:~/Downloads/dhcp-4.4.1$
The reporter was chiefly concerned with ISC DHCP, but mentioned that some of the invocations claimed to be removed by optimization occurred in BIND libraries so I am reporting it here as well.
Steps to reproduce
According to the reporter they discovered this by modifying gcc to report when the optimizer removed a call to memset()
Their suggested patch is attached to this ticket.optimized_memset.diff
We have not (yet) verified whether their modification correctly reports this; we should at least consider the case that they may be reporting false positives.
What to do about it
We ought to at least have a look at this report and see whether we believe it is cause for concern and/or might lead to unintentionally leaking information via allocated memory we thought had been cleared.
I am therefore creating this confidential ticket for tracking and discussion of this matter.