This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
On 12/06/2016 07:42 PM, Zack Weinberg wrote:
I should probably explain why I think the mangled names may be an
actively *bad* idea; I wouldn't be making so much of a fuss over it
otherwise.
Thanks.
The most direct reason is that it interferes with code that seeks
*intentionally* to interpose symbols. There are good reasons to
intercept calls to the system RNG: for instance, a test harness might
want to sub in a broken implementation to confirm that the error
handling works, another kind of test harness might want to fix the
random seed for reproducibility, and if we ever need to stop using the
kernel's RNG in a hurry, LD_PRELOAD will be the fastest way to go about
it. There *probably* isn't any existing code *for Linux* that
intentionally interposes functions that currently don't exist in glibc,
but there could be such code for one of the BSDs and maybe someone is
just waiting for us to pick up getentropy/getrandom before they port it.
I see your point, but with the original patch with mangling, you had to
interpose __libc_getrandom and getrandom. With the current patch (if we
remove mangling), you still have to interpose getrandom and getentropy.
If we add arc4random, you will have to interpose that as well. And so on.
What I'm trying to say is that its far from obvious was you need to
interpose to get the desired effect, and that with or without name
mangling, some work is required to obtain the relevant set of symbols.
A more abstract reason is that, as discussed elsewhere, I think the
problem (to the extent I do understand it) would be better addressed
with an across-the-board change to linker semantics, and if we're going
to do that, it doesn't make sense to put in stopgaps that we will then
be stuck with forever (even if just as compatibility aliases).
I already explained why we cannot fix this in the linker. We need to
put *something* in the header, too. At that point, we can just use name
mangling, which is supported by the toolchain, today.
Having said that, if someone does do an archive rebuild and finds a
concrete case where existing code _will_ generate a bad unintentional
interposition of either getentropy or getrandom, then the security
implications would swing me in favor of going ahead and doing the
REDIRECTs, since it is the only solution we've got at the moment and we
do want these functions in 2.25.
If we put this in soon (without mangling), I can probably finish a test
mass rebuild of Fedora before the 2.25 release. This should give us
some data.
Thanks,
Florian
- References:
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]
- Re: [PATCH v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]