diff options
| author | Paul Eggert <eggert@cs.ucla.edu> | 2022-08-22 12:07:27 -0700 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2022-08-22 13:10:41 -0700 |
| commit | 9ce573cde017182a69881241e8565ec04e5bc728 (patch) | |
| tree | 62b319577340c4b3907ca0473a15670a99793ccf /modules | |
| parent | 8304617684ba7f71c36fcf49786d3b279dfbefc3 (diff) | |
| download | gnulib-9ce573cde017182a69881241e8565ec04e5bc728.tar.gz | |
tempname: fix multithreading, ASLR leak etc.
Fix problems with tempname and multithreading, entropy loss,
and missing clock data (this last on non-GNU platforms).
See analysis by Bruno Haible in:
https://bugs.gnu.org/57129#149
While looking into this, I noticed that tempname can leak
info derived from ASLR into publicly-visible file names,
which is a no-no. Fix that too.
* lib/tempname.c: Don't include stdalign.h.
(HAS_CLOCK_ENTROPY): Remove.
(mix_random_values): New function.
(random_bits): Use it. Args are now new value address and
old value, and this function now returns a success indicator.
Omit old USE_GETRANDOM argument: always try getrandom now, as
there is no good reason not to now that GRND_NONBLOCK is used.
Caller changed. Use CLOCK_REALTIME for for ersatz entropy,
as CLOCK_MONOTONIC doesn't work on some platforms.
Also, mix in ersatz entropy from tv_sec and from clock ().
(try_tempname_len): Do not mix in ASLR-based entropy, as
the result is published to the world and ASLR should be private.
Do not try to use a static var as that has issues if multithreaded.
Instead, simply generate new random bits.
Worry about bias only with high-quality random bits.
* modules/tempname (Depends-on): Do not depend on stdalign.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/tempname | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/modules/tempname b/modules/tempname index 4779735d9d..f1fb78e8ff 100644 --- a/modules/tempname +++ b/modules/tempname @@ -16,7 +16,6 @@ getrandom libc-config lstat mkdir -stdalign stdbool stdint sys_stat |