From: Alejandro Colomar <alx.manpages@gmail.com>
To: Damien Miller <djm@mindrot.org>, Theo de Raadt <deraadt@openbsd.org>
Cc: libc-alpha@sourceware.org, "Alejandro Colomar" <alx@kernel.org>,
"Theo de Raadt" <deraadt@theos.com>,
"Todd C . Miller" <Todd.Miller@sudo.ws>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Cristian Rodríguez" <crrodriguez@opensuse.org>,
"Adhemerval Zanella" <adhemerval.zanella@linaro.org>,
"Yann Droneaud" <ydroneaud@opteya.com>,
"Joseph Myers" <joseph@codesourcery.com>,
otto@cvs.openbsd.org
Subject: Re: [PATCH] Give a useful meaning to arc4random_uniform(0);
Date: Sun, 1 Jan 2023 00:58:01 +0100 [thread overview]
Message-ID: <55ecb133-a9c4-e36e-7202-69fceaaf49b4@gmail.com> (raw)
In-Reply-To: <d7dc8d77-bc6a-56cb-884b-f482799aed9a@mindrot.org>
[-- Attachment #1.1: Type: text/plain, Size: 2485 bytes --]
Hello Damien,
On 1/1/23 00:07, Damien Miller wrote:
> On Sat, 31 Dec 2022, Theo de Raadt wrote:
>
>> Also, right now an (incorrect?) call of arc4random_uniform(0)
>> will return 0, but with your proposal it will return a non-zero
>> number. Have you audited the entire universe of software to
>> ensure that your change doesn't introduce a bug in some other
>> piece of software? I doubt you did that. Very unprofessional
>> of you to not study the impact and just wave the issue away.
>>
>> I think Special-casing the value of 0 to mean something new
>> and undocumented behaviour makes no sense. It is even potentially
>> undocumentable.
>
> I agree - specifying a zero upper-bound is numerically nonsensical,
> and could often be the result of a bug in the caller.
>
> Changing it is likely to break code like this in a plausibly exploitable
> way:
>
> elem_t *random_elem(elem_t **elems, size_t nelems) {
> return elems[arc4random_uniform(nelems)];
> }
The above code is already broken. In case nelems is 0, the array has exactly 0
elements, so the pointer &elems[0] is a pointer to one-past-the-last element.
It is legal to hold such a pointer, but not to dereference it (I guess I don't
need to quote the standard here).
Such a pointer dereference *is dangerous*, and *is very-likely exploitable*.
Having a random 32-bit number instead is likely to be a pointer addressing an
invalid memory address, and result in a crash. And crashes are good, right?
Changing the behavior of arc4random_uniform() wouldn't make this code more
broken, but rather uncover the bug in it.
>
> Therefore IMO the only safe return from arc4random_uniform(0) is 0.
I'd argue it's the opposite. 0 is the most unsafe value it can return in such a
case, since it's the least likely to result in a crash. The Undefined Behavior
is invoked, and in a way that is likely to modify memory that is available to
the process.
42 would be a better value.
An even better value would be UINT32_MAX, which would almost-certainly guarantee
a crash everywhere.
However, it makes more sense to just let it be an unbounded random value, which
will likely result in the same crashes as with UINT32_MAX, but would be more
useful for other purposes.
>
> That changing make it fractionally simpler to implement one particular
> wrapper doesn't IMO justify it.
>
> -d
Cheers,
Alex
--
<http://www.alejandro-colomar.es/>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-12-31 23:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-31 2:36 Alejandro Colomar
2022-12-31 2:48 ` Alejandro Colomar
2022-12-31 2:57 ` Jason A. Donenfeld
2022-12-31 13:39 ` Alejandro Colomar
2022-12-31 8:50 ` Theo de Raadt
2022-12-31 8:51 ` Theo de Raadt
2022-12-31 14:56 ` Alejandro Colomar
2022-12-31 15:13 ` Alejandro Colomar
2022-12-31 15:17 ` Alejandro Colomar
2022-12-31 15:59 ` Alejandro Colomar
2022-12-31 16:03 ` Alejandro Colomar
2023-01-01 8:41 ` Theo de Raadt
2022-12-31 23:07 ` Damien Miller
2022-12-31 23:58 ` Alejandro Colomar [this message]
2023-01-01 7:48 ` Ariadne Conill
2023-01-01 9:21 ` Otto Moerbeek
2023-01-01 14:05 ` Alejandro Colomar
2023-01-01 8:34 ` Theo de Raadt
2023-01-01 21:37 ` Arsen Arsenović
2023-01-01 23:50 ` Alejandro Colomar
2023-01-02 0:02 ` Arsen Arsenović
2023-01-02 11:24 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55ecb133-a9c4-e36e-7202-69fceaaf49b4@gmail.com \
--to=alx.manpages@gmail.com \
--cc=Jason@zx2c4.com \
--cc=Todd.Miller@sudo.ws \
--cc=adhemerval.zanella@linaro.org \
--cc=alx@kernel.org \
--cc=crrodriguez@opensuse.org \
--cc=deraadt@openbsd.org \
--cc=deraadt@theos.com \
--cc=djm@mindrot.org \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=otto@cvs.openbsd.org \
--cc=ydroneaud@opteya.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).