From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by sourceware.org (Postfix) with ESMTPS id 9F56E3858D1E for ; Sun, 1 Jan 2023 08:41:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=r5pT6a9Gwe N28e6kAD1DcC+0aWpFoEdGAC1XT7su2nE=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=uEANz8QAkwFvMxR+iZNTe6tjCRB70JRry HDHrzs3ELMP13Wsp2lsyQjmBJnNsFUPUUbVsAA3ZfWUQdFCqjZnMEl5651ikVCiLXOmmf2 ySs6w2BA8KqXU05C9nEdCEjfhwha7v+UaBlDo4AdUnHIGzyp6lZ03u0FHB05msgrKUMdBn TG5NIdSHmlCiGig+U/87FDsu+9ojNqUt8Pl4TVDWYEjNs+aJfYFn8KbT1UL3TKcBv5YneE zNjfpwtxSYNM8H6zD5wMt5k9PZt1FUw8hIFTfemGxVyFNfhB99FfuwBXsxUtyHF7T2BWJi KaOgjiSJjvDOnLuZbpCjBqQDOy0Aw== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id f5465ded; Sun, 1 Jan 2023 01:41:45 -0700 (MST) From: "Theo de Raadt" To: Alejandro Colomar cc: otto@cvs.openbsd.org, djm@cvs.openbsd.org, libc-alpha@sourceware.org, Alejandro Colomar , Theo de Raadt , "Todd C . Miller" , "Jason A. Donenfeld" , =?us-ascii?Q?=3D=3FUTF-8=3FQ=3FCristian=5FRodr=3Dc3=3Dadguez=3F=3D?= , Adhemerval Zanella , Yann Droneaud , Joseph Myers , Serge Hallyn , Iker Pedrosa Subject: Re: [PATCH] Give a useful meaning to arc4random_uniform(0); In-reply-to: <23022d82-6573-42bd-ea19-d050ebe08ff5@gmail.com> References: <20221231023653.41877-1-alx@kernel.org> <5084.1672476619@cvs.openbsd.org> <78070.1672476692@cvs.openbsd.org> <23022d82-6573-42bd-ea19-d050ebe08ff5@gmail.com> Comments: In-reply-to Alejandro Colomar message dated "Sat, 31 Dec 2022 16:59:46 +0100." MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Sun, 01 Jan 2023 01:41:45 -0700 Message-ID: <2720.1672562505@cvs.openbsd.org> X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Alejandro Colomar wrote: > Hi Theo, >=20 > On 12/31/22 16:13, Alejandro Colomar wrote: > > Hi Theo, > > On 12/31/22 15:56, Alejandro Colomar wrote: > >>> > >>> I do not like your proposal at all.=C2=A0 A function like arc4random_= range() > >>> is even more likely to be used wrong by passing backwards points > >>> and you seem to have a lot of hubris to add a range check to it. > > I didn't understand the entire sentence, since I'm not a native > > English speaker. =C2=A0Sorry for that.=C2=A0 About adding a range chec= k, I'm > > not against it.=C2=A0 But what to do in that case?=C2=A0 abort()?=C2=A0= I don't see > > anything significantly better?=C2=A0 In the Linux kernel, the used > > something BUILD_BUG, but I don't know those macros very much. > > I'm really open to discussion about what would the the best behavior > > when max < min. >=20 > Since there's no obvious thing to do when the bounds are reversed > (some may want to abort(); others may prefer to set errno?; others may > just want to ignore the possibility... >=20 > I tried to understand what it does with the obvious implementation: >=20 >=20 > > Alejandro Colomar wrote: > >> uint32_t > >> arc4random_range(uint32_t min, uint32_t max) > >> { > >> return arc4random_uniform(max - min + 1) + min; > >> } >=20 > Well, let's substitute with some actual values: >=20 > arc4random_range(7, 4); >=20 > This will result in: >=20 > arc4random_uniform(4 - 7 + 1) + 7; >=20 > which evaluates to: >=20 > arc4random_uniform(-2) + 7; >=20 > and is equivalent to: >=20 > arc4random_uniform(UINT32_MAX - 1) + 7; >=20 > Let's first ignore the +7. The arc4random_uniform(UINT32_MAX - 1) > call can generate 2^32 - 2 random numbers. By offsetting to 7, the 2 > value that are excluded are 6 and 5. >=20 > So it seems that a reversed call to arc4random_range(min, max) has an > interesting property: it generates random numbers outside of the > non-inclusive range (min, max), that is the compementary set of > numbers that arc4random(max, min) would produce. >=20 > If properly documented, it's not a bad behavior. With that quality of reasoning, there are only two possible conclusions about why this email thread is happening. I though these conclusions were original, but others privately made these suggestions also:=20 1. you are trolling us 2. you are not sufficiently intelligent to be permitted near a C compiler. I cannot think of a third option. I am going to give you the benefit of the doubt and select option 1, and trolls are deal with calling them trolls, and thennever replying again. By= e.