[gnutls-devel] GnuTLS | doc: discourage use of gnutls_malloc/gnutls_free by applications (!2032)

[Read-only notification of GnuTLS library development activities]

Daniel P_ Berrangé created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2032

Project:Branches: berrange/gnutls:dep-malloc-free to gnutls/gnutls:master
Author:   Daniel P_ Berrangé



<!-- Add a description of the new feature/bug fix. Reference any relevant bugs. -->

* doc: discourage use of gnutls_malloc/gnutls_free by applications

Version 3.3.0 turned gnutls_global_set_mem_functions() into a no-op,
so the C library system allocator functions are guaranteed to always
be used.

For application code, this has turned gnutls_malloc & gnutls_free
into a trivial indirection to the C library malloc / free functions.

Unfortunately when an application is built with Control Flow Integrity
enabled, use of gnutls_malloc / gnutls_free may result in termination
of the program with SIGILL. We just hit this in QEMU, with our code
crashing when QEMU is built with CFI when we call gnutls_free().

The problem can be seen standalone with the following example

```
$ cat g.c
#include <gnutls/gnutls.h>

void foo() {
  gnutls_datum_t v;
  v.data = gnutls_malloc(10);
  gnutls_free(v.data);
}

int main(int argc, char **argv) {
  foo();
  return 0;
}
$ clang -fsanitize=cfi-icall  -flto -Wall -I /usr/include/gnutls -lgnutls -o g g.c
$ ./g
Illegal instruction (core dumped)
```

I've tested this on Fedora 42, but I would expect same results anywhere
with modern enough clang to support CFI.

In this initial patch I kept the references to gnutls_free/malloc as conditional 
recommendations depending on the apps need for back compat with 3.3.0, and didn't 
touch the example programs.

The 3.3.0 release of gnutls was 11 years ago now though. Given that long timeframe, 
perhaps it is acceptable to entirely remove any reference to gnutls_free/malloc in 
the public API docs now ? Then likewise purge their usage in the example C programs 
too, with plain free/malloc used instead.

Let me know if I should do that more comprehensive change....

## Checklist
 * [ ] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [ ] Code modified for feature
 * [ ] Test suite updated with functionality tests
 * [ ] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2032
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251024/225e9456/attachment-0001.html>