diff mbox series

[v8,05/17] eal: add new secure free function

Message ID	20250216170110.7230-6-stephen@networkplumber.org (mailing list archive)
State	Superseded
Delegated to:	Thomas Monjalon
Headers	From: Stephen Hemminger <stephen@networkplumber.org> To: dev@dpdk.org Cc: Stephen Hemminger <stephen@networkplumber.org>, =?utf-8?q?Morten_Br?= =?utf-8?q?=C3=B8rup?= <mb@smartsharesystems.com>, Anatoly Burakov <anatoly.burakov@intel.com>, Tyler Retzlaff <roretzla@linux.microsoft.com> Subject: [PATCH v8 05/17] eal: add new secure free function Date: Sun, 16 Feb 2025 08:53:04 -0800 Message-ID: <20250216170110.7230-6-stephen@networkplumber.org> In-Reply-To: <20250216170110.7230-1-stephen@networkplumber.org> References: <20241114011129.451243-1-stephen@networkplumber.org> <20250216170110.7230-1-stephen@networkplumber.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	fix memset warnings reported by PVS studio \| [v8,00/17] fix memset warnings reported by PVS studio [v8,01/17] eal: introduce new secure memory zero [v8,02/17] app/test: use unit test runner for string tests [v8,03/17] app/test: add test for rte_memzero_explicit [v8,04/17] app/test: remove unused variable [v8,05/17] eal: add new secure free function [v8,06/17] app/test: use unit test runner for malloc tests [v8,07/17] app/test: add test for rte_free_sensitive [v8,08/17] common/cnxk: remove unused variable [v8,09/17] crypto/qat: force zero of keys [v8,10/17] crypto/qat: fix size calculation for memset [v8,11/17] crypto/qat: use secure free for keys [v8,12/17] bus/uacce: remove memset before free [v8,13/17] compress/octeontx: remove unnecessary memset [v8,14/17] test: remove unneeded memset [v8,15/17] net/ntnic: check result of malloc [v8,16/17] net/ntnic: remove unnecessary memset [v8,17/17] devtools/cocci: add script to find problematic memset

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Stephen Hemminger Feb. 16, 2025, 4:53 p.m. UTC

Although internally rte_free does poison the buffer in most
cases, it is useful to have function that explicitly does
this to avoid any security issues.

Name of new API is chosen to be similar to Linux kernel
kfree_sensitive() to make porting drivers easier.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
---
 lib/eal/common/rte_malloc.c  | 30 ++++++++++++++++++++++++------
 lib/eal/include/rte_malloc.h | 23 +++++++++++++++++++++++
 lib/eal/version.map          |  1 +
 3 files changed, 48 insertions(+), 6 deletions(-)

Comments

Burakov, Anatoly Feb. 20, 2025, 12:31 p.m. UTC | #1

On 16/02/2025 17:53, Stephen Hemminger wrote:
> Although internally rte_free does poison the buffer in most
> cases, it is useful to have function that explicitly does
> this to avoid any security issues.
> 
> Name of new API is chosen to be similar to Linux kernel
> kfree_sensitive() to make porting drivers easier.
> 
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
> ---
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>

diff mbox series

Patch

diff --git a/lib/eal/common/rte_malloc.c b/lib/eal/common/rte_malloc.c
index 3eed4d4be6..fc2d2ae3f1 100644
--- a/lib/eal/common/rte_malloc.c
+++ b/lib/eal/common/rte_malloc.c
@@ -15,6 +15,7 @@ 
 #include <rte_eal_memconfig.h>
 #include <rte_common.h>
 #include <rte_spinlock.h>
+#include <rte_string_fns.h>
 
 #include <eal_trace_internal.h>
 
@@ -27,27 +28,44 @@ 
 
 
 /* Free the memory space back to heap */
-static void
-mem_free(void *addr, const bool trace_ena)
+static inline void
+mem_free(void *addr, const bool trace_ena, bool zero)
 {
+	struct malloc_elem *elem;
+
 	if (trace_ena)
 		rte_eal_trace_mem_free(addr);
 
-	if (addr == NULL) return;
-	if (malloc_heap_free(malloc_elem_from_data(addr)) < 0)
+	if (addr == NULL)
+		return;
+
+	elem = malloc_elem_from_data(addr);
+	if (zero) {
+		size_t data_len = elem->size - MALLOC_ELEM_OVERHEAD;
+
+		rte_memzero_explicit(addr, data_len);
+	}
+
+	if (malloc_heap_free(elem) < 0)
 		EAL_LOG(ERR, "Error: Invalid memory");
 }
 
 void
 rte_free(void *addr)
 {
-	mem_free(addr, true);
+	mem_free(addr, true, false);
+}
+
+void
+rte_free_sensitive(void *addr)
+{
+	mem_free(addr, true, true);
 }
 
 void
 eal_free_no_trace(void *addr)
 {
-	mem_free(addr, false);
+	mem_free(addr, false, false);
 }
 
 static void *
diff --git a/lib/eal/include/rte_malloc.h b/lib/eal/include/rte_malloc.h
index c8836de67c..0a397e7723 100644
--- a/lib/eal/include/rte_malloc.h
+++ b/lib/eal/include/rte_malloc.h
@@ -51,6 +51,29 @@  struct rte_malloc_socket_stats {
 void
 rte_free(void *ptr);
 
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Frees the memory space pointed to by the provided pointer
+ * and guarantees it will be zero'd before reuse.
+ * This function is slower than simple rte_free() it should only
+ * be used for security keys and other sensitive data.
+ *
+ * This pointer must have been returned by a previous call to
+ * rte_malloc(), rte_zmalloc(), rte_calloc() or rte_realloc(). The behaviour of
+ * rte_free() is undefined if the pointer does not match this requirement.
+ *
+ * If the pointer is NULL, the function does nothing.
+ *
+ * @param ptr
+ *   The pointer to memory to be freed.
+ */
+__rte_experimental
+void
+rte_free_sensitive(void *ptr);
+
 /**
  * This function allocates memory from the huge-page area of memory. The memory
  * is not cleared. In NUMA systems, the memory allocated resides on the same
diff --git a/lib/eal/version.map b/lib/eal/version.map
index 82a3e91c97..cc19c676f8 100644
--- a/lib/eal/version.map
+++ b/lib/eal/version.map
@@ -400,6 +400,7 @@  EXPERIMENTAL {
 	rte_lcore_var_alloc;
 
 	# added in 25.03
+	rte_free_sensitive;
 	rte_memzero_explicit;
 };