| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- /*
- * Securely wipe memory.
- *
- * The actual wiping is no different from what memset would do: the
- * point of 'securely' is to try to be sure over-clever compilers
- * won't optimise away memsets on variables that are about to be freed
- * or go out of scope. See
- * https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/771-BSI.html
- */
- #include "defs.h"
- #include "misc.h"
- /*
- * Trivial function that is given a pointer to some memory and ignores
- * it.
- */
- static void no_op(void *ptr, size_t size) {}
- /*
- * Function pointer that is given a pointer to some memory, and from
- * the compiler's point of view, _might_ read it, or otherwise depend
- * on its contents.
- *
- * In fact, this function pointer always points to no_op() above. But
- * because the pointer itself is volatile-qualified, the compiler
- * isn't allowed to optimise based on the assumption that that will
- * always be the case. So it has to call through the function pointer
- * anyway, on the basis that it _might_ have magically changed at run
- * time into a pointer to some completely arbitrary function. And
- * therefore it must also avoid optimising away any observable effect
- * beforehand that a completely arbitrary function might depend on -
- * such as the zeroing of our memory region.
- */
- static void (*const volatile maybe_read)(void *ptr, size_t size) = no_op;
- void smemclr(void *b, size_t n)
- {
- if (b && n > 0) {
- /*
- * Zero out the memory.
- */
- memset(b, 0, n);
- /*
- * Call the above function pointer, which (for all the
- * compiler knows) might check that we've really zeroed the
- * memory.
- */
- maybe_read(b, n);
- }
- }
|
