[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code

Mon Nov 2 01:53:48 EST 2015

Peter Gutmann wrote this message on Sat, Oct 31, 2015 at 01:29 +0000:
> Ray Dillinger <bear at sonic.net> writes:
> 
> >Am I wrong?
> 
> Oh, you're just assuming the gcc devs are following their usual "policy of
> delivering the most useless possible conformance" :-).  Here's what the gcc
> docs say for the annotation:
> 
>   The nonnull attribute specifies that some function parameters should be non-
>   null pointers. For instance, the declaration:
> 
>           extern void *
>           my_memcpy (void *dest, const void *src, size_t len)
>           	__attribute__((nonnull (1, 2)));
>      
>   causes the compiler to check that, in calls to my_memcpy, arguments dest and
>   src are non-null. If the compiler determines that a null pointer is passed
>   in an argument slot marked as non-null, and the -Wnonnull option is enabled,

This states that it checks calls to the function, such as:
#include <sys/types.h>
#include <unistd.h>

extern void *
my_memcpy(void *dest, const void *src, size_t len)
__attribute__((nonnull(1,2)));

extern void *a;
extern void *b;
extern size_t l;

void
afun(void)
{
	my_memcpy(NULL, b, l);
}

And it states clearly what it does when it figures out that it's NULL,
but it also doesn't state what it does if it cannot determine if the
argument is NULL, so it's assume that it does nothing...

and if you compile w/ gcc:
$gcc -Wnonnull -c a.c
a.c:15:22: warning: null passed to a callee that requires a non-null argument
      [-Wnonnull]
        my_memcpy(NULL, b, l);
                  ~~~~      ^
1 warning generated.

Which shows that it works as designed...

>   a warning is issued. The compiler may also choose to make optimizations
>   based on the knowledge that certain function arguments will not be null.

This says that when compiling the function, it will make assumptions
that the arguments will not be NULL...  It obviously can't peer through
other functions though:
#include <sys/types.h>
#include <unistd.h>

extern void *
my_memcpy(void *dest, const void *src, size_t len)
__attribute__((nonnull(1,2)));

extern void *b;
extern size_t l;

void
afun(void *a)
{
	my_memcpy(a, b, l);
}

void
bfun(void)
{
	afun(NULL);
}

compiles with out warning w/ -Wnonnull...  And unsurprisingly you have
now violated your contract w/ the compiler...

> Here's what gcc actually does:
> 
>   The nonnull attribute specifies that some function parameters should be non-
>   null pointers. For instance, the declaration [...] causes the compiler to
>   silently remove any checks for null pointers in the code when compiling it.
>   No warnings will be issued.
> 
> So it does pretty much the reverse of what the documentation says.  The reason

I disagree, the auther annotated the function that the pointer(s) will
be non-NULL, so by definition a pointer == NULL check will always be
false, and the optimizer is allowed to remove the code...

The root of the problem as someone else pointed out, is that it's
incorrect to write code check for a NULL pointer when you've already
said it is non-NULL...

That's like complaining that the compiler optimizes out my if (0) code!

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."