Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 2 Feb 2013 23:22:33 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] Add support for mkostemp, mkstemps and mkostemps

* Anthony G. Basile <basile@...nsource.dyc.edu> [2013-02-02 15:38:43 -0500]:
> 2. This is from uclibc.  Clearly, static is critical here, but still
> they never initialize a value of 'value' on first entry into the
> function, so that memory is dirty to start.  Mine is worse, but I
> wonder if this is still a bug there.
> 
> static void brain_damaged_fillrand(unsigned char *buf, unsigned int len)
> {
> 	...
>         static uint64_t value;
>         gettimeofday(&tv, NULL);
>         value += ((uint64_t) tv.tv_usec << 16) ^ tv.tv_sec ^ getpid();
> 	...

static variables are always initialized to 0

they use static so every call to that function
uses some entropy from the previous call
(in multithreaded code it may not work that way)


> 3. I retested your address approach.  I like it but it only maps to
> upper and lower case letters, no numbers which uclibc and glibc do.

yes i used 6*5 bit for the names, which makes sense: r is 32bits usually
(ie. that code can generate 2^30 different names)

uclibc/glibc can generate 62^6 names (about 2^36) which is a bit more
but by not much

> clock_gettime(CLOCK_REALTIME, &ts);
> r = ts.tv_nsec*65537 ^ (uintptr_t)&ts / 16 + (uintptr_t)template;
> for (i=0; i<6; i++, r>>=5)
> 	template[i] = 'A'+(r&15)+(r&16)*2;
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.