secp256k1
secp256k1 copied to clipboard
bitcoin-core
memcmp may be miscompiled by GCC
What about the other memcmp's we have in actual production code? (bip340 tag, tweak add check, scratch impl, sha256 selftest) does this bug affect those too?
Originally posted by @elichai in https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-697221468
context: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189
AFAIU (and I'm not 100% sure) this affects comparisons with fixed byte arrays which include zero bytes. The check may then early terminate at the first zero byte.
- BIP340 tag: Strictly speaking yes, here we compare with a fixed string including zero bytes. Even though it will be weird if someone passed
BIP0340/nonce\0ABor something like this. (and see #757 , maybe that's not a great API anyway). - Tweak add check: probably not, no constants here.
- scratch: here the byte array is
scratchso this should be fine. - sha256 selftest: no zero byte in the outpur either.
In the tests we have many many memcmp calls, some even with the all-zero arrays.
- BIP340 tag: Strictly speaking yes, here we compare with a fixed string including zero bytes. Even though it will be weird if someone passed
BIP0340/nonce\0ABor something like this. (and see #757 , maybe that's not a great API anyway).
I don't think it's explicit anywhere that the tag even needs to be a string, someone could use the timestamp of their product launch datetime, or their birthday as the tag, and that will contain zeros. (I have 0 idea if this is realistic or not, I do not know of products that use tagged hashes so don't know if they used string/int/bytes as tag)
@elichai Indeed but I believe the bug only occurs with the zeros in the constant. We may want to verify/test this.
Is it sufficient to add a -fno-builtin-memcmp flag if it exists, (and maybe disable it if some autotools stuff has run and was unable to find the bug)?
(I have verified that my tests in https://github.com/bitcoin-core/secp256k1/pull/822 pass when -fno-builtin-memcmp is used.)
If "-fno-builtin-memcmp" is sufficient that sounds good. I think it would still be advisable to include an explicit memcmp test if no-builtin-memcmp is the solution
We could even include a self-test but I'm not sure about this.
And I'm still not sure if shipping our function is just better, even though it's "extremely dumb" as to your adequate summary. Pragmatically, the implementation is trivial and will just work everywhere without any compiler detection magic etc. edit: Moreover, if the fix is in the code and not in the compiler flags, it's possible to use check the GCC version in the preprocessor, if we want to do this.
If we do that will we be able to detect indirect calls to memcmp (I'm thinking via other libc calls)? In that sense -fno-builtin-memcmp is more robust.
how does a secp256k1_memcmp help change behaviour in other compilation units?
(I'm thinking via other libc calls)
Well we're not going to be able to re-build libc. If there is an indirect bug due to libc being compiled with gcc and its memcmp calls working incorrectly, that would be a bug in the resulting libc library, and nothing we can do about that (except minimizing how much we rely on libc).
The compiler can in some cases "emit" memcmp calls automatically, though. I don't know if that's the case in our codebase, and I don't know if that's strictly for situations where a builtin wouldn't/can't be used - but if that is somehow subject to the same bug, having a custom memcmp function may not be enough.
Oh sorry I didn't mean fixing libc. I mean that the compiler hypothetically inlining some call to libc that in turn calls memcmp, that then gets optimized. I'm not familiar enough with C to have anything in particular in mind, so maybe it just isn't a thing to worry about. TBH I was really thinking of something analogous to std::lexicographical_compare.
The compiler can't inline calls to libc, as it doesn't know what is in the called functions.
What is possible is that some functionality is implemented in libc headers, through inline functions or other builtins, that directly call memcmp/__builtin_memcmp. I can't find any instances of this in my system C headers (except the definition of memcmp itself), though there are a few in STL C++ headers.
The compiler can't inline calls to libc, as it doesn't know what is in the called functions.
I don't believe this is true, a compiler target also encodes the exact libc variant that is used, and the compiler can use that knowledge to its advantage (see #/776 for example) a few examples of how without headers the compiler can remove calls to libc and replace them with equivalent instructions while assuming those calls don't have side effects. (and are well known) https://godbolt.org/z/EKe4rx
EDIT: I see now that @sipa probably commented on this sentence by @roconnor-blockstream
I mean that the compiler hypothetically inlining some call to libc that in turn calls memcmp
I still believe this could happen, just like gcc turns this code into a "return 0":
#include <stddef.h>
void *calloc(size_t nmemb, size_t size);
int zeroed_alloc(int num) {
int* p = calloc(num, sizeof(int));
int ret = *p;
free(p);
return ret;
}
Given that we have some evidence that this does not happen when the GCC knows that the return value is compared with != 0 or == 0, I tend towards ignoring the issue. This bug looked very bad but in the end the scope is very limited. As long as our code is not affected, this is not much different from hundreds of other compiler bugs (e.g. #585).
Of course #825 is a simple fix but it's somewhat arbitrary then.
See also https://github.com/bitcoin/bitcoin/issues/20005#issuecomment-699078122, which does not show any potential issues in secp256k1.
@elichai Sure, the compiler may know things about how C standard library functions behave (because they're specified by the standard, or because it knows additional promises the specifically used C standard library used makes). But (in general) it cannot actually look at the compiled library object code and inline it (in theory LTO could change that, but there is no LTO done for glibc IIRC). So just the fact that a particular function inside glibc is written using memcmp isn't relevant - except to the extent that it may be miscompiled inside glibc itself - and there is nothing we can do about that.
@real-or-random I don't know - even with evidence that the current codebase is unaffected, it's still scary - evidenced by the fact that we hit it randomly in PR #822 (thankfully in test-only code, but it could have been elsewhere).
If people feel we should do #825, then I'm not against this. It certainly won't hurt.
@roconnor-blockstream
I rebuilt bitcoin-0.20.1 (including libsecp256k1) using emit_diagnostic, and I also did not get any miscompiled memcmp messages.
Can you also try this on libsecp with all the features on + tests?
We can make secp256k1_memcmp, but is solving the issue for libsecp256k1 meaningful if we don't solve it for bitcoin?
Still nothing prevents reintroduction of memcmp other than diligence.
Let's keep this open to discuss how an accidental memcmp can be prevent.
CI could do a simple grep for the word memcmp in the source code?
For reference real-or-random posted a clang-query command at https://github.com/bitcoin-core/secp256k1/pull/825#issuecomment-703624238.
If there is some CI test it could check if any function outside of the library is called, except for whitelisted ones (memset, memcpy, malloc, and free, I believe), no? Maybe also make sure that malloc and free are only called via the wrapper functions. That might be useful independently of the memcmp concerns.
Hm, do we really want to restrict ourselves to a small list of standard library functions? I don't think the standard library is bad per se. Compiler bugs can happen everywhere, not only in calls to the standard library. Moreover, new calls are easily spotted in code review. I think memcmp is simply different because one needs to remember that memcmp is special.
If you want to give it a try:
clang-query src/secp256k1.c -c 'match callExpr(allOf(unless(isExpansionInSystemHeader()), callee(functionDecl(isExpansionInSystemHeader()))))'
This matches all calls to functions declared in system headers, unless the call itself happens in a system header.
If we are going to whitelist standard library functions, and I'm not arguing here that we should or shouldn't, one possible solution is to write our own header of standard library prototypes from our whitelist and disallow all system include files. That said I don't know how to enforce that system includes are disallowed.
That said I don't know how to enforce that system includes are disallowed.
-nostdinc :), the main problem is stdint.h, which we want to manage for us all the int types in different targets
As fanquake noted in https://github.com/bitcoin/bitcoin/issues/20005#issuecomment-1205264613, this is fixed in GCC 10.3 and above.