rtos: string: Add memory barrier to memset_s for security #10487
Conversation
Add Xtensa memory barrier (memw) instruction after memset() in memset_s() implementation to prevent compiler dead store elimination (DSE) optimization from removing the memory clearing operation. When optimization flags like -O2 are enabled, compilers may perform dead store elimination and incorrectly remove memset() calls used for security purposes to scrub sensitive data from memory. This is critical for confidential data handling where memory must be reliably cleared after use. The memory barrier ensures the memset operation completes and cannot be optimized away, satisfying secure memory scrubbing requirements for cryptographic operations and sensitive data processing. Additionally, the patch removes the check for the return value of memset. The standard C library memset always returns the pointer passed as its first argument and does not indicate errors through its return value. Error handling for a NULL destination is already performed earlier in the function, so the return value check is unnecessary and can be safely omitted. Signed-off-by: Tomasz Leman <[email protected]>
tmleman
requested review from
abonislawski,
dbaluta,
iuliana-prodan,
kv2019i and
lyakh
as code owners
There was a problem hiding this comment.
Pull request overview
This PR enhances the security of the memset_s() function by preventing compiler optimizations from eliminating critical memory clearing operations. The change adds a memory barrier instruction for Xtensa architectures and removes unnecessary error checking.
Changes:
- Added Xtensa-specific memory barrier (
memw) aftermemset()to prevent dead store elimination - Removed unnecessary return value check from
memset()call since it always returns the destination pointer
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| memset(dest, data, count); | ||
| /* | ||
| * Prevent compiler from optimizing away the memset. | ||
| * Memory barrier prevents dead store elimination. | ||
| */ | ||
| #if defined(CONFIG_XTENSA) | ||
| __asm__ __volatile__("memw" ::: "memory"); | ||
| #endif | ||
|
|
There was a problem hiding this comment.
The memory barrier is only applied for Xtensa architecture, leaving other architectures vulnerable to dead store elimination. For security-critical memset_s() function, consider using a portable solution like a volatile function pointer or compiler builtins (e.g., memset_explicit() in C23, or explicit_bzero()) that work across all architectures to prevent compiler optimizations from removing the memory clearing operation.
| memset(dest, data, count); | |
| /* | |
| * Prevent compiler from optimizing away the memset. | |
| * Memory barrier prevents dead store elimination. | |
| */ | |
| #if defined(CONFIG_XTENSA) | |
| __asm__ __volatile__("memw" ::: "memory"); | |
| #endif | |
| /* | |
| * Prevent compiler from optimizing away the memset. | |
| * Use a volatile function pointer so the call has | |
| * observable side effects on all architectures. | |
| */ | |
| void *(*volatile memset_ptr)(void *, int, size_t) = memset; | |
| memset_ptr(dest, data, count); |
| #if defined(CONFIG_XTENSA) | ||
| __asm__ __volatile__("memw" ::: "memory"); | ||
| #endif |
There was a problem hiding this comment.
The memory barrier implementation creates architecture-specific code paths in a security function. Consider extracting this into a macro (e.g., SECURE_MEMORY_BARRIER()) defined in an architecture header file. This would improve maintainability and make it easier to add barriers for other architectures in the future.
There was a problem hiding this comment.
@tmleman I think you can leave out CONFIG_XTENSA. i think this is asm notation is supported by all current SOF toolschains. Better for the build to fail if someone tries to build SOF on a more exotic toolchain.
lyakh
left a comment
lyakh
left a comment
There was a problem hiding this comment.
I understand the motivation, but I don't think this is the right place to fix this. I'd say, that memset_s() should have the same semantics as memset() plus a couple of argument checks. I don't think adding a memory barrier here is a good idea. It needlessly punishes most callers, while I think it's those "special" callers, where such an optimisation can take place and can be harmful. Also not sure it's the memw that prevents the compiler from optimising the code, I'd rather suspect that it's the __volatile__ attribute. Maybe just __asm__ __volatile__("" ::: "memory") would be enough? But again - not here, but in actual sensitive code sections, and maybe as a meaningful macro.
|
@lyakh Thank you for your feedback. I appreciate your point about the potential unnecessary overhead for most use cases. My initial thought was that adding the barrier directly to Alternatively, introducing a dedicated function or macro (e.g., Regarding the use of Let me know your thoughts, and I’m happy to adjust the implementation as needed. |
lgirdwood
left a comment
lgirdwood
left a comment
There was a problem hiding this comment.
In the short term this fixes CC code elimination, but I think the volatile solution is a lot more portable. However, a volatile ptr may cause the memw to occur on each store (in the meset() loop) rather than once at the end of the memset(). This could vary by CC and build flags.
This PR is more direct and deterministic and forces the compiler to always do the right thing, yes there will be a perf hit but I dont think we are calling memset_s() from time critical code.
@tmleman yes, it's for memory ordering, but is it what we need here? I thought we were trying to avoid erroneous compiler optimisation? libc defines |
kv2019i
left a comment
kv2019i
left a comment
There was a problem hiding this comment.
I think this is good. OpenBSD and glibc have explicit_bzero() and C23 introduces memset_explicit().
I think our memset_s is supposed to implement C11 Annex K (optional, never caught on widely) style sementics and indeed that annex does state memset_s() should behave like memset_explicit() and guarantee the writes are not optimzied out. So given we use the "memset_s()" naming, it would be highly confusing if we did not follow the semantics. So +1 for this approach. I don't think the barrier is 100% reliable solution, but for xtensa and the toolchains currently used in SOF, this will work as expected.
| #if defined(CONFIG_XTENSA) | ||
| __asm__ __volatile__("memw" ::: "memory"); | ||
| #endif |
There was a problem hiding this comment.
@tmleman I think you can leave out CONFIG_XTENSA. i think this is asm notation is supported by all current SOF toolschains. Better for the build to fail if someone tries to build SOF on a more exotic toolchain.
|
@kv2019i I was thinking more about extending this: #if defined(CONFIG_XTENSA)
__asm__ __volatile__("memw" ::: "memory");
#elif defined(__GNUC__) || defined(__clang__)
__asm__ __volatile__("" : : "r"(ptr) : "memory");
#endif |
5 participants
Add Xtensa memory barrier (memw) instruction after memset() in memset_s() implementation to prevent compiler dead store elimination (DSE) optimization from removing the memory clearing operation.
When optimization flags like -O2 are enabled, compilers may perform dead store elimination and incorrectly remove memset() calls used for security purposes to scrub sensitive data from memory. This is critical for confidential data handling where memory must be reliably cleared after use.
The memory barrier ensures the memset operation completes and cannot be optimized away, satisfying secure memory scrubbing requirements for cryptographic operations and sensitive data processing.
Additionally, the patch removes the check for the return value of memset. The standard C library memset always returns the pointer passed as its first argument and does not indicate errors through its return value. Error handling for a NULL destination is already performed earlier in the function, so the return value check is unnecessary and can be safely omitted.