Release v30122018 3.4.0

See ChangeLog

Author: rurban

ChangeLog

@@ -1,5 +1,17 @@
 
-                ChangeLog file for safeclib
+        ChangeLog file for safeclib
+
+Changes in v30122018 3.4.0
+        - Updated towctrans case-mappings to Unicode 11.0 (GH #62)
+        - Improved memset_s, memzero_s security by adding a CPU memory barrier,
+          not just a compiler barrier. (GH #63)
+          Check various memory_barrier insns (mfence, sfence, lwsync, membar,
+          lock..., memory_barrier) and use it for the memset primitives
+          to reliably sync memory stores with possibly re-ordered loads.
+          Note that glibc/BSD explicit_bzero or Microsoft SecureZeroMemory only do
+          a simple compiler barrier, which is not Spectre, Meltdown secure.
+        - add pic_flag to RETPOLINE cflags and ldflags (GH #55)
+        - Add --disable-doc option (GH #54)
 
 Changes in v03032018 3.3.0
         - Added compile-time and run-time object_size checks (BOS), resulting

build-tools/smoke.sh

@@ -193,9 +193,9 @@ if [ -e /usr/bin/arm-linux-gnueabihf-gcc ]; then
     ./configure --enable-unsafe --enable-debug --host=arm-linux-gnueabihf && \
         make -s -j4 || exit;
     # $make -s -j4 check-log
-    if [ ! -e /usr/arm-linux-gnueabihf/lib/libsafec-3.3.so.3 ]; then
+    if [ ! -e /usr/arm-linux-gnueabihf/lib/libsafec-3.4.so.3 ]; then
         cd /usr/arm-linux-gnueabihf/lib/;
-        sudo ln -s $OLDPWD/src/.libs/libsafec-3.3.so.3;
+        sudo ln -s $OLDPWD/src/.libs/libsafec-3.4.so.3;
         cd -
     fi
     make -s -j4 -C tests tests;

configure.ac

@@ -936,8 +936,8 @@ AC_SUBST([TARBALL_VERSION_FILE])
 # version information, refer to the libtool manual, section "Updating
 # library version information":
 # http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-AC_SUBST([SAFEC_SO_VERSION], [3:3:0])
-AC_SUBST([SAFEC_API_VERSION], [3.3])
+AC_SUBST([SAFEC_SO_VERSION], [3:4:0])
+AC_SUBST([SAFEC_API_VERSION], [3.4])
 
 # Automake variables, these variables get automagically included at the top
 # of all automake generated make files. This is why you don't see them

doc/libc-overview.md

@@ -52,6 +52,12 @@ with julia).
 
 See also http://crashcourse.housegordon.org/coreutils-multibyte-support.html
 
+None of the other libc's (and neither most crypto libraries) provide a secure
+memory barrier for memset/memzero/memset_s/explicit_bzero/SecureZeroMemory/...,
+they only provide a compiler barrier against false compiler optimizations. They
+don't reliably sync memory stores with possibly re-ordered loads by modern
+out-of-order CPU's. Only the linux kernel and safeclib do so.
+
 # C11 Annex K/safec caveats
 
 * `tmpnam_s`:

src/extmem/memzero_s.c

@@ -54,6 +54,10 @@
  * @pre   dest shall not be a null pointer.
  * @pre   len shall not be 0 nor greater than RSIZE_MAX_MEM and size of dest
  *
+ * @note memzero_s provides a memory barrier for modern out-of-order CPU's 
+ *       to ensure a cache flush or at least a compiler barrier fallback to
+ *       ensure that is not optimized away by optimizing compilers.
+ *
  * @return  If there is a runtime constraint, the operation is not performed.
  * @retval  EOK         when operation is successful
  * @retval  ESNULLP     when dest is NULL POINTER

src/mem/mem_primitives_lib.c

@@ -42,13 +42,17 @@
  */
 
 /**
+ * @def mem_prim_set(dest,len,value)
  * @brief
  *    Sets len bytes starting at dest to the specified value
  *
  * @param[out] dest   pointer to memory that will be set to value
  * @param[in]  len    number of bytes to be set
  * @param[in]  value  byte value
  *
+ * @note mem_prim_set provides a memory barrier for modern out-of-order CPU's 
+ *       to ensure a cache flush or at least a compiler barrier fallback to
+ *       ensure that is not optimized away by optimizing compilers.
  */
 
 #if __WORDSIZE != 64

src/mem/mem_primitives_lib.h

@@ -111,7 +111,8 @@
 #define ASM_VOLATILE ASM_INLINE volatile
 #define COMPILER_BARRIER ASM_VOLATILE ("" ::: "memory") /* the insecure fallback */
 #else
-#define ASM_VOLATILE //
+/* warning no inline asm */
+#define ASM_VOLATILE
 #define COMPILER_BARRIER
 #endif
 
@@ -122,13 +123,13 @@
 #elif defined(HAVE_MBARRIER_H) && (defined(sun) || defined(__sun))
   /* Solaris 12 (membar) */
 # define MEMORY_BARRIER   __machine_rw_barrier()
-#elif defined(__GNUC__) && defined(HAVE_PPC_ALTIVEC) || defined(HAVE_PPC_SPE)
+#elif defined(__GNUC__) && defined(ASM_INLINE) && (defined(HAVE_PPC_ALTIVEC) || defined(HAVE_PPC_SPE))
 # define MEMORY_BARRIER   ASM_VOLATILE ("lwsync" ::: "memory")
-#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__SSE2__))
+#elif defined(__GNUC__) && defined(ASM_INLINE) && (defined(__x86_64__) || defined(__SSE2__))
 # define MEMORY_BARRIER   ASM_VOLATILE ("mfence" ::: "memory")
-#elif defined(__GNUC__) && defined(__i386__)
+#elif defined(__GNUC__) && defined(ASM_INLINE) && defined(__i386__)
 # define MEMORY_BARRIER   ASM_VOLATILE ("lock; addl $0,0(%%esp)" ::: "memory")
-#elif defined(HAVE_ARM_NEON) || defined(HAVE_ARM_NEON)
+#elif defined(ASM_INLINE) && (defined(HAVE_ARM_NEON) || defined(HAVE_ARM_NEON))
 # define MEMORY_BARRIER   ASM_VOLATILE ("dmb; dsb; isb" ::: "memory")
 #elif defined(__GNUC__) && __GNUC__ >= 5
 /* new gcc-5 memory_barrier insn for most archs:

src/mem/memset_s.c

@@ -72,6 +72,9 @@
  *       erroneous value of dmax does not expose the impending buffer
  *       overflow.
  * @note C11 uses RSIZE_MAX, not RSIZE_MAX_MEM.
+ * @note memset_s provides a memory barrier for modern out-of-order CPU's 
+ *       to ensure a cache flush or at least a compiler barrier fallback to
+ *       ensure that is not optimized away by optimizing compilers.
  *
  * @return  If there is a runtime-constraints violation, and if dest is not a null
  *          pointer, and if dmax is not too large, then, before