diff options
| author | otto <> | 2017-04-10 05:45:02 +0000 |
|---|---|---|
| committer | otto <> | 2017-04-10 05:45:02 +0000 |
| commit | 579a4b73945db7a24a27c2678668b0db5b9f1807 (patch) | |
| tree | 36a6be76ee8b2ccb1e7af2e9cf969e1f91dd6524 /src/lib/libc/stdlib/malloc.3 | |
| parent | 490c04dce89599fb1ab02ea53b512fb7104eccc2 (diff) | |
| download | openbsd-579a4b73945db7a24a27c2678668b0db5b9f1807.tar.gz openbsd-579a4b73945db7a24a27c2678668b0db5b9f1807.tar.bz2 openbsd-579a4b73945db7a24a27c2678668b0db5b9f1807.zip | |
Introducing freezero(3) a version of free that guarantees the process
no longer has access to the content of a memmory object. It does
this by either clearing (if the object memory remains cached) or
by calling munmap(2). ok millert@, deraadt@, guenther@
Diffstat (limited to 'src/lib/libc/stdlib/malloc.3')
| -rw-r--r-- | src/lib/libc/stdlib/malloc.3 | 82 |
1 files changed, 58 insertions, 24 deletions
diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3 index c65c08ef98..c7a79b5e3d 100644 --- a/src/lib/libc/stdlib/malloc.3 +++ b/src/lib/libc/stdlib/malloc.3 | |||
| @@ -30,18 +30,19 @@ | |||
| 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 31 | .\" SUCH DAMAGE. | 31 | .\" SUCH DAMAGE. |
| 32 | .\" | 32 | .\" |
| 33 | .\" $OpenBSD: malloc.3,v 1.109 2017/04/06 17:00:52 otto Exp $ | 33 | .\" $OpenBSD: malloc.3,v 1.110 2017/04/10 05:45:02 otto Exp $ |
| 34 | .\" | 34 | .\" |
| 35 | .Dd $Mdocdate: April 6 2017 $ | 35 | .Dd $Mdocdate: April 10 2017 $ |
| 36 | .Dt MALLOC 3 | 36 | .Dt MALLOC 3 |
| 37 | .Os | 37 | .Os |
| 38 | .Sh NAME | 38 | .Sh NAME |
| 39 | .Nm malloc , | 39 | .Nm malloc , |
| 40 | .Nm calloc , | 40 | .Nm calloc , |
| 41 | .Nm reallocarray , | ||
| 42 | .Nm recallocarray , | ||
| 43 | .Nm realloc , | 41 | .Nm realloc , |
| 44 | .Nm free | 42 | .Nm free |
| 43 | .Nm reallocarray , | ||
| 44 | .Nm recallocarray , | ||
| 45 | .Nm freezero , | ||
| 45 | .Nd memory allocation and deallocation | 46 | .Nd memory allocation and deallocation |
| 46 | .Sh SYNOPSIS | 47 | .Sh SYNOPSIS |
| 47 | .In stdlib.h | 48 | .In stdlib.h |
| @@ -50,15 +51,23 @@ | |||
| 50 | .Ft void * | 51 | .Ft void * |
| 51 | .Fn calloc "size_t nmemb" "size_t size" | 52 | .Fn calloc "size_t nmemb" "size_t size" |
| 52 | .Ft void * | 53 | .Ft void * |
| 54 | .Fn realloc "void *ptr" "size_t size" | ||
| 55 | .Ft void | ||
| 56 | .Fn free "void *ptr" | ||
| 57 | .Ft void * | ||
| 53 | .Fn reallocarray "void *ptr" "size_t nmemb" "size_t size" | 58 | .Fn reallocarray "void *ptr" "size_t nmemb" "size_t size" |
| 54 | .Ft void * | 59 | .Ft void * |
| 55 | .Fn recallocarray "void *ptr" "size_t oldnmemb" "size_t nmemb" "size_t size" | 60 | .Fn recallocarray "void *ptr" "size_t oldnmemb" "size_t nmemb" "size_t size" |
| 56 | .Ft void * | ||
| 57 | .Fn realloc "void *ptr" "size_t size" | ||
| 58 | .Ft void | 61 | .Ft void |
| 59 | .Fn free "void *ptr" | 62 | .Fn freezero "void *ptr" "size_t size" |
| 60 | .Vt char *malloc_options ; | 63 | .Vt char *malloc_options ; |
| 61 | .Sh DESCRIPTION | 64 | .Sh DESCRIPTION |
| 65 | The standard functions | ||
| 66 | .Fn malloc , | ||
| 67 | .Fn calloc , | ||
| 68 | and | ||
| 69 | .Fn realloc | ||
| 70 | allocate memory space. | ||
| 62 | The | 71 | The |
| 63 | .Fn malloc | 72 | .Fn malloc |
| 64 | function allocates uninitialized space for an object of | 73 | function allocates uninitialized space for an object of |
| @@ -103,6 +112,26 @@ behaves like | |||
| 103 | and allocates a new object. | 112 | and allocates a new object. |
| 104 | .Pp | 113 | .Pp |
| 105 | The | 114 | The |
| 115 | .Fn free | ||
| 116 | function causes the space pointed to by | ||
| 117 | .Fa ptr | ||
| 118 | to be either placed on a list of free blocks to make it available for future | ||
| 119 | allocation or, when appropiate, to be returned to the kernel using | ||
| 120 | .Xr munmap 2 . | ||
| 121 | If | ||
| 122 | .Fa ptr | ||
| 123 | is a | ||
| 124 | .Dv NULL | ||
| 125 | pointer, no action occurs. | ||
| 126 | If | ||
| 127 | .Fa ptr | ||
| 128 | was previously freed by | ||
| 129 | .Fn free | ||
| 130 | or a reallocation function, | ||
| 131 | the behavior is undefined and the double free is a security concern. | ||
| 132 | .Pp | ||
| 133 | Designed for safe allocation of arrays, | ||
| 134 | the | ||
| 106 | .Fn reallocarray | 135 | .Fn reallocarray |
| 107 | function is similar to | 136 | function is similar to |
| 108 | .Fn realloc | 137 | .Fn realloc |
| @@ -115,7 +144,8 @@ and checks for integer overflow in the calculation | |||
| 115 | * | 144 | * |
| 116 | .Fa size . | 145 | .Fa size . |
| 117 | .Pp | 146 | .Pp |
| 118 | The | 147 | Used for the allocation of memory holding sensitive data, |
| 148 | the | ||
| 119 | .Fn recallocarray | 149 | .Fn recallocarray |
| 120 | function is similar to | 150 | function is similar to |
| 121 | .Fn reallocarray | 151 | .Fn reallocarray |
| @@ -150,23 +180,25 @@ is the size of the earlier allocation that returned | |||
| 150 | otherwise the behaviour is undefined. | 180 | otherwise the behaviour is undefined. |
| 151 | .Pp | 181 | .Pp |
| 152 | The | 182 | The |
| 183 | .Fn freezero | ||
| 184 | function is similar to the | ||
| 153 | .Fn free | 185 | .Fn free |
| 154 | function causes the space pointed to by | 186 | function except it ensures the memory being deallocated is explicitly |
| 155 | .Fa ptr | 187 | discarded. |
| 156 | to be either placed on a list of free pages to make it available for future | ||
| 157 | allocation or, if required, to be returned to the kernel using | ||
| 158 | .Xr munmap 2 . | ||
| 159 | If | 188 | If |
| 160 | .Fa ptr | 189 | .Fa ptr |
| 161 | is a | 190 | is |
| 162 | .Dv NULL | 191 | .Dv NULL , |
| 163 | pointer, no action occurs. | 192 | no action occurs. |
| 164 | If | 193 | If |
| 165 | .Fa ptr | 194 | .Fa ptr |
| 166 | was previously freed by | 195 | is not |
| 167 | .Fn free | 196 | .Dv NULL , |
| 168 | or a reallocation function, | 197 | the |
| 169 | the behavior is undefined and the double free is a security concern. | 198 | .Fa size |
| 199 | argument must be the size of the earlier allocation that returned | ||
| 200 | .Fa ptr , | ||
| 201 | otherwise the behaviour is undefined. | ||
| 170 | .Sh RETURN VALUES | 202 | .Sh RETURN VALUES |
| 171 | Upon successful completion, the allocation functions | 203 | Upon successful completion, the allocation functions |
| 172 | return a pointer to the allocated space; otherwise, a | 204 | return a pointer to the allocated space; otherwise, a |
| @@ -319,10 +351,8 @@ function should be used for resizing objects containing sensitive data like | |||
| 319 | keys. | 351 | keys. |
| 320 | To avoid leaking information, | 352 | To avoid leaking information, |
| 321 | it guarantees memory is cleared before placing it on the internal free list. | 353 | it guarantees memory is cleared before placing it on the internal free list. |
| 322 | A | 354 | Deallocation of such an object should be done by calling |
| 323 | .Fn free | 355 | .Fn freezero . |
| 324 | call for such an object should still be preceded by a call to | ||
| 325 | .Xr explicit_bzero 3 . | ||
| 326 | .Sh ENVIRONMENT | 356 | .Sh ENVIRONMENT |
| 327 | .Bl -tag -width "/etc/malloc.conf" | 357 | .Bl -tag -width "/etc/malloc.conf" |
| 328 | .It Ev MALLOC_OPTIONS | 358 | .It Ev MALLOC_OPTIONS |
| @@ -539,6 +569,10 @@ The | |||
| 539 | .Fn recallocarray | 569 | .Fn recallocarray |
| 540 | function appeared in | 570 | function appeared in |
| 541 | .Ox 6.1 . | 571 | .Ox 6.1 . |
| 572 | The | ||
| 573 | .Fn freezero | ||
| 574 | function appeared in | ||
| 575 | .Ox 6.2 . | ||
| 542 | .Sh CAVEATS | 576 | .Sh CAVEATS |
| 543 | When using | 577 | When using |
| 544 | .Fn malloc , | 578 | .Fn malloc , |