From: Rich Felker <dalias@libc.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: musl@lists.openwall.com
Subject: Re: arc4random/csprng
Date: Wed, 4 Jul 2018 11:13:03 -0400 [thread overview]
Message-ID: <20180704151303.GR1392@brightrain.aerifal.cx> (raw)
In-Reply-To: <04c54490-5d2f-0690-cbca-96326b0e338e@redhat.com>
On Wed, Jul 04, 2018 at 01:36:00PM +0200, Florian Weimer wrote:
> On 07/03/2018 05:17 PM, Rich Felker wrote:
>
> >>But it's still quite common to do things with direct system calls,
> >>particularly for setting up containers.
> >>
> >>I have not yet found a case which I couldn't solve with plain fork
> >>(with handlers) and unshare, but that's not what everyone does
> >>unfortunately.
> >
> >I agree you might need direct use of clone sometime for
> >namespace/container stuff, but I don't think there's any way it can be
> >made safe without careful consideration of what you do after the
> >operation before a subsequent execve or _exit. I don't think it makes
> >sense to design big machinery to support doing something that has
> >deeper reasons it can't work, but this is probably partly a difference
> >in philosophy between glibc and musl (see also: dlclose, lazy dtls,
> >lazy tlsdesc, ...).
>
> I would suggest to keep at least the fork detection bit, even if you
> do not reseed and deadlock or abort instead, because the duplicate
> stream of random bits could be very hard to detect otherwise.
I don't want, and I don't think others will want, musl to be
unconditionally mmapping extra memory in every process for the sake of
safely handling programs doing invalid/unsupported hacks. What might
be acceptable is something like, at stirring time, doing:
if (__syscall(SYS_gettid)!=self->tid) a_crash();
Another idea is adding to syscall.c (public syscall() function)
something like:
if (n==SYS_fork || n==SYS_clone) flag=1;
and in the csprng:
if (flag) a_crash();
or just:
if (n==SYS_fork || n==SYS_clone)
return __syscall_ret(-EINVAL);
In any case, the public clone() function, which should be valid to use
in a limited sense if we're offering it at all, should also be
reviewed for safety (not specific to csprng issues) and for what
properties we want to guarantee/support, like whether it's valid to do
non-AS-safe stuff after a fork-like clone in a single-threaded
process. The above flag idea may be a useful tool in this -- by
actively storing knowledge that a type of fork/clone that leaves the
process in an async signal context has taken place, we could trap a
lot of UB in the child.
Rich
next prev parent reply other threads:[~2018-07-04 15:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-02 20:39 arc4random/csprng Rich Felker
2018-07-03 13:36 ` arc4random/csprng Florian Weimer
2018-07-03 14:47 ` arc4random/csprng Rich Felker
2018-07-03 15:08 ` arc4random/csprng Florian Weimer
2018-07-03 15:17 ` arc4random/csprng Rich Felker
2018-07-04 11:36 ` arc4random/csprng Florian Weimer
2018-07-04 15:13 ` Rich Felker [this message]
2018-07-03 14:18 ` arc4random/csprng Luca Barbato
2018-07-03 14:49 ` arc4random/csprng Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180704151303.GR1392@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=fweimer@redhat.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).