diff --git a/include/string.h b/include/string.h index d9adcf4e0e41..73b675370c58 100644 --- a/include/string.h +++ b/include/string.h @@ -1,175 +1,178 @@ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 1990, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef _STRING_H_ #define _STRING_H_ #include #include #include /* * Prototype functions which were historically defined in , but * are required by POSIX to be prototyped in . */ #if __BSD_VISIBLE #include #endif #ifndef _SIZE_T_DECLARED typedef __size_t size_t; #define _SIZE_T_DECLARED #endif #if !defined(_STANDALONE) && defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 #include #endif __BEGIN_DECLS #if __XSI_VISIBLE >= 600 void *memccpy(void * __restrict, const void * __restrict, int, size_t); #endif void *memchr(const void *, int, size_t) __pure; #if __BSD_VISIBLE void *memrchr(const void *, int, size_t) __pure; #endif int memcmp(const void *, const void *, size_t) __pure; void *(memcpy)(void * __restrict, const void * __restrict, size_t); #if __BSD_VISIBLE void *memmem(const void *, size_t, const void *, size_t) __pure; #endif void *(memmove)(void *, const void *, size_t); #if __BSD_VISIBLE void *(mempcpy)(void * __restrict, const void * __restrict, size_t); #endif void *(memset)(void *, int, size_t); +#if __BSD_VISIBLE || __ISO_C_VISIBLE >= 2023 +void *memset_explicit(void *, int, size_t); +#endif #if __POSIX_VISIBLE >= 200809 char *(stpcpy)(char * __restrict, const char * __restrict); char *(stpncpy)(char * __restrict, const char * __restrict, size_t); #endif #if __BSD_VISIBLE char *strcasestr(const char *, const char *) __pure; #endif char *(strcat)(char * __restrict, const char * __restrict); char *strchr(const char *, int) __pure; #if __BSD_VISIBLE char *strchrnul(const char*, int) __pure; int strverscmp(const char *, const char *) __pure; #endif int strcmp(const char *, const char *) __pure; int strcoll(const char *, const char *); char *(strcpy)(char * __restrict, const char * __restrict); size_t strcspn(const char *, const char *) __pure; #if __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE char *strdup(const char *) __malloc_like; #endif char *strerror(int); #if __POSIX_VISIBLE >= 200112 int strerror_r(int, char *, size_t); #endif #if __BSD_VISIBLE size_t (strlcat)(char * __restrict, const char * __restrict, size_t); size_t (strlcpy)(char * __restrict, const char * __restrict, size_t); #endif size_t strlen(const char *) __pure; #if __BSD_VISIBLE #ifndef _MODE_T_DECLARED typedef __mode_t mode_t; #define _MODE_T_DECLARED #endif void strmode(mode_t, char *); #endif char *(strncat)(char * __restrict, const char * __restrict, size_t); int strncmp(const char *, const char *, size_t) __pure; char *(strncpy)(char * __restrict, const char * __restrict, size_t); #if __POSIX_VISIBLE >= 200809 char *strndup(const char *, size_t) __malloc_like; size_t strnlen(const char *, size_t) __pure; #endif #if __BSD_VISIBLE char *strnstr(const char *, const char *, size_t) __pure; #endif char *strpbrk(const char *, const char *) __pure; char *strrchr(const char *, int) __pure; #if __BSD_VISIBLE char *strsep(char **, const char *); #endif #if __POSIX_VISIBLE >= 200809 char *strsignal(int); #endif size_t strspn(const char *, const char *) __pure; char *strstr(const char *, const char *) __pure; char *strtok(char * __restrict, const char * __restrict); #if __POSIX_VISIBLE >= 199506 || __XSI_VISIBLE >= 500 char *strtok_r(char *, const char *, char **); #endif size_t strxfrm(char * __restrict, const char * __restrict, size_t); #if __BSD_VISIBLE #ifndef _SWAB_DECLARED #define _SWAB_DECLARED #ifndef _SSIZE_T_DECLARED typedef __ssize_t ssize_t; #define _SSIZE_T_DECLARED #endif /* _SIZE_T_DECLARED */ void swab(const void * __restrict, void * __restrict, ssize_t); #endif /* _SWAB_DECLARED */ int timingsafe_bcmp(const void *, const void *, size_t); int timingsafe_memcmp(const void *, const void *, size_t); #endif /* __BSD_VISIBLE */ #if __POSIX_VISIBLE >= 200112 || defined(_XLOCALE_H_) #include #endif #if __EXT1_VISIBLE #ifndef _RSIZE_T_DEFINED #define _RSIZE_T_DEFINED typedef size_t rsize_t; #endif #ifndef _ERRNO_T_DEFINED #define _ERRNO_T_DEFINED typedef int errno_t; #endif /* ISO/IEC 9899:2011 K.3.7.4.1.1 */ errno_t memset_s(void *, rsize_t, int, rsize_t); #endif /* __EXT1_VISIBLE */ __END_DECLS #endif /* _STRING_H_ */ diff --git a/lib/libc/string/Makefile.inc b/lib/libc/string/Makefile.inc index c5ded194c78a..5d4a9a6e3eed 100644 --- a/lib/libc/string/Makefile.inc +++ b/lib/libc/string/Makefile.inc @@ -1,117 +1,119 @@ .if ${MK_MACHDEP_OPTIMIZATIONS} != "no" .PATH: ${LIBC_SRCTOP}/${LIBC_ARCH}/string .endif .PATH: ${LIBC_SRCTOP}/string .PATH: ${SRCTOP}/sys/libkern CFLAGS+= -I${LIBC_SRCTOP}/locale # machine-independent string sources MISRCS+=bcmp.c bcopy.c bzero.c explicit_bzero.c \ ffs.c ffsl.c ffsll.c fls.c flsl.c flsll.c \ memccpy.c memchr.c memrchr.c memcmp.c \ memcpy.c memmem.c memmove.c mempcpy.c memset.c memset_s.c \ + memset_explicit.c \ stpcpy.c stpncpy.c strcasecmp.c \ strcat.c strcasestr.c strchr.c strchrnul.c strcmp.c strcoll.c strcpy.c\ strcspn.c strdup.c strerror.c strlcat.c strlcpy.c strlen.c strmode.c \ strncat.c strncmp.c strncpy.c strndup.c strnlen.c strnstr.c \ strpbrk.c strrchr.c strsep.c strsignal.c strspn.c strstr.c strtok.c \ strverscmp.c strxfrm.c swab.c \ timingsafe_bcmp.c \ timingsafe_memcmp.c \ wcpcpy.c wcpncpy.c wcscasecmp.c wcscat.c \ wcschr.c wcscmp.c wcscoll.c wcscpy.c wcscspn.c wcsdup.c \ wcslcat.c wcslcpy.c wcslen.c wcsncasecmp.c wcsncat.c wcsncmp.c \ wcsncpy.c wcsnlen.c wcspbrk.c \ wcsrchr.c wcsspn.c wcsstr.c wcstok.c wcswidth.c wcsxfrm.c wmemchr.c \ wmemcmp.c \ wmemcpy.c wmemmove.c wmempcpy.c wmemset.c SYM_MAPS+= ${LIBC_SRCTOP}/string/Symbol.map .if ${MK_ASAN} != "no" # These source files deliberately read out of bounds since they assume that # out-of-bounds memory accesses that don't cross pages are always legal. # Note: While this is fine on x86, it does break when running with CHERI. CFLAGS.strlen.c+= -fno-sanitize=address CFLAGS.strchrnul.c+= -fno-sanitize=address CFLAGS.memchr.c+= -fno-sanitize=address .endif .if ${MK_MACHDEP_OPTIMIZATIONS} != "no" # machine-dependent string sources .sinclude "${LIBC_SRCTOP}/${LIBC_ARCH}/string/Makefile.inc" .endif MAN+= bcmp.3 bcopy.3 bstring.3 bzero.3 ffs.3 index.3 memccpy.3 memchr.3 \ memcmp.3 memcpy.3 memmem.3 memmove.3 memset.3 strcasecmp.3 strcat.3 \ strchr.3 strcmp.3 strcoll.3 strcpy.3 strdup.3 strerror.3 \ string.3 strlcpy.3 strlen.3 strmode.3 strpbrk.3 strsep.3 \ strspn.3 strstr.3 strtok.3 strverscmp.3 strxfrm.3 swab.3 \ timingsafe_bcmp.3 \ wcscoll.3 wcstok.3 \ wcswidth.3 wcsxfrm.3 wmemchr.3 MLINKS+=bzero.3 explicit_bzero.3 MLINKS+=ffs.3 ffsl.3 \ ffs.3 ffsll.3 \ ffs.3 fls.3 \ ffs.3 flsl.3 \ ffs.3 flsll.3 MLINKS+=index.3 rindex.3 MLINKS+=memchr.3 memrchr.3 MLINKS+=memcpy.3 mempcpy.3 -MLINKS+=memset.3 memset_s.3 +MLINKS+=memset.3 memset_s.3 \ + memset.3 memset_explicit.3 MLINKS+=strcasecmp.3 strncasecmp.3 \ strcasecmp.3 strcasecmp_l.3 \ strcasecmp.3 strncasecmp_l.3 MLINKS+=strcat.3 strncat.3 MLINKS+=strchr.3 strrchr.3 \ strchr.3 strchrnul.3 MLINKS+=strcmp.3 strncmp.3 MLINKS+=strcoll.3 strcoll_l.3 MLINKS+=strcpy.3 stpcpy.3 \ strcpy.3 stpncpy.3 \ strcpy.3 strncpy.3 MLINKS+=strdup.3 strndup.3 MLINKS+=strerror.3 perror.3 \ strerror.3 strerror_l.3 \ strerror.3 strerror_r.3 \ strerror.3 sys_errlist.3 \ strerror.3 sys_nerr.3 MLINKS+=strlcpy.3 strlcat.3 MLINKS+=strlen.3 strnlen.3 MLINKS+=strspn.3 strcspn.3 MLINKS+=strstr.3 strcasestr.3 \ strstr.3 strnstr.3 \ strstr.3 strcasestr_l.3 MLINKS+=strtok.3 strtok_r.3 MLINKS+=strxfrm.3 strxfrm_l.3 MLINKS+=timingsafe_bcmp.3 timingsafe_memcmp.3 MLINKS+=wmemchr.3 wcpcpy.3 \ wmemchr.3 wcpncpy.3 \ wmemchr.3 wcscasecmp.3 \ wmemchr.3 wcscat.3 \ wmemchr.3 wcschr.3 \ wmemchr.3 wcscmp.3 \ wmemchr.3 wcscpy.3 \ wmemchr.3 wcscspn.3 \ wmemchr.3 wcsdup.3 \ wmemchr.3 wcslcat.3 \ wmemchr.3 wcslcpy.3 \ wmemchr.3 wcslen.3 \ wmemchr.3 wcsncasecmp.3 \ wmemchr.3 wcsncat.3 \ wmemchr.3 wcsncmp.3 \ wmemchr.3 wcsncpy.3 \ wmemchr.3 wcsnlen.3 \ wmemchr.3 wcspbrk.3 \ wmemchr.3 wcsrchr.3 \ wmemchr.3 wcsspn.3 \ wmemchr.3 wcsstr.3 \ wmemchr.3 wmemcmp.3 \ wmemchr.3 wmemcpy.3 \ wmemchr.3 wmemmove.3 \ wmemchr.3 wmempcpy.3 \ wmemchr.3 wmemset.3 diff --git a/lib/libc/string/Symbol.map b/lib/libc/string/Symbol.map index fd854d1f9479..6b2c41124adf 100644 --- a/lib/libc/string/Symbol.map +++ b/lib/libc/string/Symbol.map @@ -1,121 +1,125 @@ FBSD_1.0 { bcmp; bcopy; memcpy; memmove; ffs; ffsl; fls; flsl; index; strchr; memccpy; memchr; memcmp; memmem; bzero; memset; strrchr; rindex; stpcpy; strcasecmp; strncasecmp; strcasestr; strcat; strcmp; strcoll; strcpy; strcspn; strdup; strerror_r; strerror; strlcat; strlcpy; strlen; strmode; strncat; strncmp; strncpy; strnstr; strpbrk; strsep; strsignal; strspn; strstr; strtok_r; strtok; strxfrm; swab; wcscat; wcschr; wcscmp; wcscoll; wcscpy; wcscspn; wcsdup; wcslcat; wcslcpy; wcslen; wcsncat; wcsncmp; wcsncpy; wcspbrk; wcsrchr; wcsspn; wcsstr; wcstok; wcswidth; wcsxfrm; wmemchr; wmemcmp; wmemcpy; wmemmove; wmemset; }; FBSD_1.1 { ffsll; flsll; memrchr; stpncpy; strndup; strnlen; wcpcpy; wcpncpy; wcscasecmp; wcsncasecmp; wcsnlen; }; FBSD_1.3 { strcasecmp_l; strcasestr_l; strchrnul; strncasecmp_l; wcswidth_l; wcwidth_l; }; FBSD_1.4 { explicit_bzero; }; FBSD_1.5 { memset_s; timingsafe_bcmp; timingsafe_memcmp; }; FBSD_1.6 { strerror_l; }; FBSD_1.7 { mempcpy; strverscmp; wmempcpy; }; +FBSD_1.8 { + memset_explicit; +}; + FBSDprivate_1.0 { __strtok_r; }; diff --git a/lib/libc/string/memset.3 b/lib/libc/string/memset.3 index 3ae485f68a92..f2dba3ec5a48 100644 --- a/lib/libc/string/memset.3 +++ b/lib/libc/string/memset.3 @@ -1,130 +1,144 @@ .\" Copyright (c) 1990, 1991, 1993 .\" The Regents of the University of California. All rights reserved. .\" .\" This code is derived from software contributed to Berkeley by .\" Chris Torek and the American National Standards Committee X3, .\" on Information Processing Systems. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of the University nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 19, 2018 +.Dd October 24, 2024 .Dt MEMSET 3 .Os .Sh NAME .Nm memset .Nd write a byte to byte string .Sh LIBRARY .Lb libc .Sh SYNOPSIS .In string.h .Ft void * .Fn memset "void *dest" "int c" "size_t len" +.Ft void * +.Fn memset_explicit "void *dest" "int c" "size_t len" .Fd #define __STDC_WANT_LIB_EXT1__ 1 .Ft errno_t .Fn memset_s "void *dest" "rsize_t destsz" "int c" "rsize_t len" .Sh DESCRIPTION The .Fn memset function writes .Fa len bytes of value .Fa c (converted to an .Vt "unsigned char" ) to the string .Fa dest . Undefined behaviour from .Fn memset , resulting from storage overflow, will occur if .Fa len is greater than the length of the .Fa dest buffer. The behaviour is also undefined if .Fa dest is an invalid pointer. .Pp The +.Fn memset_explicit +function behaves the same as +.Fn memset, but will not be removed by a compiler's dead store +optimization pass, making it useful for clearing sensitive memory +such as a password. +.Pp +The .Fn memset_s function behaves the same as .Fn memset except that an error is returned and the currently registered runtime-constraint handler is called if .Fa dest is a null pointer, .Fa destsz or .Fa len is greater than .Dv RSIZE_MAX , or .Fa len is greater than .Fa destsz (buffer overflow would occur). The runtime-constraint handler is called first and may not return. If it does return, an error is returned to the caller. Like .Xr explicit_bzero 3 , .Fn memset_s is not removed through Dead Store Elimination (DSE), making it useful for clearing sensitive data. In contrast .Fn memset function may be optimized away if the object modified by the function is not accessed again. To clear memory that will not subsequently be accessed it is advised to use .Fn memset_s instead of .Fn memset . For instance, a buffer containing a password should be cleared with .Fn memset_s before .Xr free 3 . .Sh RETURN VALUES The .Fn memset -function returns its first argument. +and +.Fn memset_explicit +functions return their first argument. The .Fn memset_s function returns zero on success, non-zero on error. .Sh SEE ALSO .Xr bzero 3 , .Xr explicit_bzero 3 , .Xr set_constraint_handler_s 3 , .Xr swab 3 , .Xr wmemset 3 .Sh STANDARDS The .Fn memset function conforms to .St -isoC . .Fn memset_s conforms to .St -isoC-2011 K.3.7.4.1. +.Fn memset_explicit +conforms to +.St -isoC-2024 . diff --git a/lib/libc/string/memset_explicit.c b/lib/libc/string/memset_explicit.c new file mode 100644 index 000000000000..ee6be0363981 --- /dev/null +++ b/lib/libc/string/memset_explicit.c @@ -0,0 +1,26 @@ +/*- + * SPDF-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2024 Robert Clausecker + */ + +#include + +__attribute__((weak)) void __memset_explicit_hook(void *, int, size_t); + +__attribute__((weak)) void +__memset_explicit_hook(void *buf, int ch, size_t len) +{ + (void)buf; + (void)ch; + (void)len; +} + +void * +memset_explicit(void *buf, int ch, size_t len) +{ + memset(buf, ch, len); + __memset_explicit_hook(buf, ch, len); + + return (buf); +}