Re: [PATCH v2] mm: Add kvfree_sensitive() for freeing sensitive data objects

From: David Howells
Date: Tue Apr 07 2020 - 17:14:24 EST


Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> So the _real_ prototype for 'free()'-like operations should be something like
>
> void free(const volatile killed void *ptr);
>
> where that "killed" also tells the compiler that the pointer lifetime
> is dead, so that using it afterwards is invalid. So that the compiler
> could warn us about some of the most trivial use-after-free cases.

It might be worth asking the compiler folks to give us an __attribute__ for
that - even if they don't do anything with it immediately. So we might have
something like:

void free(const volatile void *ptr) __attribute__((free(1)));

There are some for allocation functions, some of which we use, though I'm not
sure we do so as consistently as we should (should inline functions like
kcalloc() have them, for example?).

David