]>
Commit | Line | Data |
---|---|---|
55e04d23 | 1 | .\" Copyright (C) 2017 Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da | 2 | .\" |
93015253 | 3 | .\" %%%LICENSE_START(VERBATIM) |
fea681da MK |
4 | .\" Permission is granted to make and distribute verbatim copies of this |
5 | .\" manual provided the copyright notice and this permission notice are | |
6 | .\" preserved on all copies. | |
7 | .\" | |
8 | .\" Permission is granted to copy and distribute modified versions of this | |
9 | .\" manual under the conditions for verbatim copying, provided that the | |
10 | .\" entire resulting derived work is distributed under the terms of a | |
11 | .\" permission notice identical to this one. | |
c13182ef | 12 | .\" |
fea681da MK |
13 | .\" Since the Linux kernel and libraries are constantly changing, this |
14 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
15 | .\" responsibility for errors or omissions, or for damages resulting from | |
16 | .\" the use of the information contained herein. The author(s) may not | |
17 | .\" have taken the same level of care in the production of this manual, | |
18 | .\" which is licensed free of charge, as they might when working | |
19 | .\" professionally. | |
c13182ef | 20 | .\" |
fea681da MK |
21 | .\" Formatted or processed versions of this manual, if unaccompanied by |
22 | .\" the source, must acknowledge the copyright and authors of this work. | |
4b72fb64 | 23 | .\" %%%LICENSE_END |
fea681da | 24 | .\" |
9ba01802 | 25 | .TH BZERO 3 2019-03-06 "Linux" "Linux Programmer's Manual" |
fea681da | 26 | .SH NAME |
55e04d23 | 27 | bzero, explicit_bzero \- zero a byte string |
fea681da MK |
28 | .SH SYNOPSIS |
29 | .nf | |
30 | .B #include <strings.h> | |
f90f031e | 31 | .PP |
fea681da | 32 | .BI "void bzero(void *" s ", size_t " n ); |
dbfe9c70 | 33 | .PP |
61428042 | 34 | .B #include <string.h> |
f90f031e | 35 | .PP |
55e04d23 | 36 | .BI "void explicit_bzero(void *" s ", size_t " n ); |
fea681da MK |
37 | .fi |
38 | .SH DESCRIPTION | |
39 | The | |
63aa9df0 | 40 | .BR bzero () |
55e04d23 | 41 | function erases the data in the |
fea681da | 42 | .I n |
55e04d23 MK |
43 | bytes of the memory starting at the location pointed to by |
44 | .IR s , | |
d1a71985 | 45 | by writing zeros (bytes containing \(aq\e0\(aq) to that area. |
847e0d88 | 46 | .PP |
55e04d23 MK |
47 | The |
48 | .BR explicit_bzero () | |
49 | function performs the same task as | |
50 | .BR bzero (). | |
51 | It differs from | |
52 | .BR bzero () | |
53 | in that it guarantees that compiler optimizations will not remove the | |
e6af0066 | 54 | erase operation if the compiler deduces that the operation is "unnecessary". |
47297adb | 55 | .SH RETURN VALUE |
fea681da | 56 | None. |
55e04d23 MK |
57 | .SH VERSIONS |
58 | .BR explicit_bzero () | |
59 | first appeared in glibc 2.25. | |
18c5047e | 60 | .SH ATTRIBUTES |
e933ee90 MK |
61 | For an explanation of the terms used in this section, see |
62 | .BR attributes (7). | |
63 | .TS | |
64 | allbox; | |
65 | lb lb lb | |
66 | l l l. | |
67 | Interface Attribute Value | |
68 | T{ | |
55e04d23 MK |
69 | .BR bzero (), |
70 | .br | |
71 | .BR explicit_bzero () | |
e933ee90 MK |
72 | T} Thread safety MT-Safe |
73 | .TE | |
47297adb | 74 | .SH CONFORMING TO |
55e04d23 MK |
75 | The |
76 | .BR bzero () | |
77 | function is deprecated (marked as LEGACY in POSIX.1-2001); use | |
fb186734 | 78 | .BR memset (3) |
c13182ef | 79 | in new programs. |
32982a3e MK |
80 | POSIX.1-2008 removes the specification of |
81 | .BR bzero (). | |
55e04d23 MK |
82 | The |
83 | .BR bzero () | |
84 | function first appeared in 4.3BSD. | |
847e0d88 | 85 | .PP |
55e04d23 MK |
86 | The |
87 | .BR explicit_bzero () | |
88 | function is a nonstandard extension that is also present on some of the BSDs. | |
89 | Some other implementations have a similar function, such as | |
90 | .BR memset_explicit () | |
91 | or | |
92 | .BR memset_s (). | |
93 | .SH NOTES | |
94 | The | |
95 | .BR explicit_bzero () | |
96 | function addresses a problem that security-conscious applications | |
97 | may run into when using | |
98 | .BR bzero (): | |
99 | if the compiler can deduce that the location to zeroed will | |
100 | never again be touched by a | |
101 | .I correct | |
102 | program, then it may remove the | |
103 | .BR bzero () | |
104 | call altogether. | |
105 | This is a problem if the intent of the | |
106 | .BR bzero () | |
107 | call was to erase sensitive data (e.g., passwords) | |
108 | to prevent the possibility that the data was leaked | |
109 | by an incorrect or compromised program. | |
110 | Calls to | |
111 | .BR explicit_bzero () | |
112 | are never optimized away by the compiler. | |
847e0d88 | 113 | .PP |
55e04d23 MK |
114 | The |
115 | .BR explicit_bzero () | |
116 | function does not solve all problems associated with erasing sensitive data: | |
117 | .IP 1. 3 | |
118 | The | |
119 | .BR explicit_bzero () | |
120 | function does | |
121 | .I not | |
122 | guarantee that sensitive data is completely erased from memory. | |
123 | (The same is true of | |
124 | .BR bzero ().) | |
125 | For example, there may be copies of the sensitive data in | |
126 | a register and in "scratch" stack areas. | |
127 | The | |
128 | .BR explicit_bzero () | |
129 | function is not aware of these copies, and can't erase them. | |
130 | .IP 2. | |
131 | In some circumstances, | |
132 | .BR explicit_bzero () | |
133 | can | |
134 | .I decrease | |
135 | security. | |
136 | If the compiler determined that the variable containing the | |
137 | sensitive data could be optimized to be stored in a register | |
138 | (because it is small enough to fit in a register, | |
139 | and no operation other than the | |
140 | .BR explicit_bzero () | |
141 | call would need to take the address of the variable), then the | |
142 | .BR explicit_bzero () | |
143 | call will force the data to be copied from the register | |
144 | to a location in RAM that is then immediately erased | |
145 | (while the copy in the register remains unaffected). | |
146 | The problem here is that data in RAM is more likely to be exposed | |
147 | by a bug than data in a register, and thus the | |
148 | .BR explicit_bzero () | |
149 | call creates a brief time window where the sensitive data is more | |
150 | vulnerable than it would otherwise have been | |
151 | if no attempt had been made to erase the data. | |
152 | .PP | |
153 | Note that declaring the sensitive variable with the | |
154 | .B volatile | |
155 | qualifier does | |
156 | .I not | |
157 | eliminate the above problems. | |
158 | Indeed, it will make them worse, since, for example, | |
159 | it may force a variable that would otherwise have been optimized | |
160 | into a register to instead be maintained in (more vulnerable) | |
161 | RAM for its entire lifetime. | |
847e0d88 | 162 | .PP |
55e04d23 MK |
163 | Notwithstanding the above details, for security-conscious applications, using |
164 | .BR explicit_bzero () | |
165 | is generally preferable to not using it. | |
166 | The developers of | |
167 | .BR explicit_bzero () | |
168 | anticipate that future compilers will recognize calls to | |
169 | .BR explicit_bzero () | |
170 | and take steps to ensure that all copies of the sensitive data are erased, | |
171 | including copies in registers or in "scratch" stack areas. | |
47297adb | 172 | .SH SEE ALSO |
879091c9 | 173 | .BR bstring (3), |
fea681da MK |
174 | .BR memset (3), |
175 | .BR swab (3) |