Protect explicit_bzero() from link-time optimization

Modern compiler toolchains are capable of optimizing even across
translation unit boundaries, so simply moving the memory clearing into
a separate function is not guaranteed to clear memory.

To avoid this, we take advantage of ELF weak symbol semantics, and
insert a call to an empty, weakly named function.  The semantics of
calling this function aren't determinable until load time, so the
compiler and linker need to keep the memset() call.

There are still ways a toolchain might defeat this trick (e.g.,
optimistically expecting the weak symbol to not be overloaded, and
only calling memset() if it is; promoting weak symbols to strong
symbols at link-time when emitting a static binary because they won't
be interposed; implementing load-time optimizations).  But at least
for the foreseeable future, these seem unlikely.

ok deraadt

1 files changed, 10 insertions, 7 deletions

diff --git a/src/lib/libc/string/explicit_bzero.c b/src/lib/libc/string/explicit_bzero.c
index 5124df23ca..3e33ca85b8 100644
--- a/src/lib/libc/string/explicit_bzero.c
+++ b/src/lib/libc/string/explicit_bzero.c
@@ -1,16 +1,19 @@
-/*      $OpenBSD: explicit_bzero.c,v 1.2 2014/06/10 04:17:37 deraadt Exp $ */
+/*      $OpenBSD: explicit_bzero.c,v 1.3 2014/06/21 02:34:26 matthew Exp $ */
 /*
  * Public domain.
- * Written by Ted Unangst
+ * Written by Matthew Dempsky.
  */
 
 #include <string.h>
 
-/*
- * explicit_bzero - don't let the compiler optimize away bzero
- */
+__attribute__((weak)) void
+__explicit_bzero_hook(void *buf, size_t len)
+{
+}
+
 void
-explicit_bzero(void *p, size_t n)
+explicit_bzero(void *buf, size_t len)
 {
-        bzero(p, n);
+        memset(buf, 0, len);
+        __explicit_bzero_hook(buf, len);
 }