1228571 - random_generateSeed leaves seed uninitialized when opening /dev/urandom fails

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jan de Mooij [:jandem]]

If we can't open /dev/urandom, we used to have a fallback path that used PRMJ_Now(). Bug 1206596 refactored this function and now we do nothing if we can't open /dev/urandom.

This only affects Linux (on Windows, OS X, Android and the BSDs we don't use /dev/urandom but rand_s or arc4random).

Filing this s-s just to be sure. In theory Math.random() should not be used near anything security-related but who knows.

Comment 1

[Andrew McCreight [:mccr8]]

I don't think we're really making any guarantees about Math.random() so I'll just mark it sec-other. It could be unhidden, even.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

Use PRMJ_Now() if we couldn't read from /dev/urandom. This matches what we did before.

Comment 3

[Jan de Mooij [:jandem]]

(In reply to Andrew McCreight [:mccr8] from comment #1)
> I don't think we're really making any guarantees about Math.random() so I'll
> just mark it sec-other. It could be unhidden, even.

Yeah I guess I was overly cautious.

Comment 4

[Chris Peterson [:cpeterson]]

Comment on attachment 8696510 [details] [diff] [review]
Patch

Review of attachment 8696510 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. I was literally hacking on this issue today as part of a fix for bug 1167248, a Windows crash in this function. :)

(In reply to Andrew McCreight [:mccr8] from comment #1)
> I don't think we're really making any guarantees about Math.random() so I'll
> just mark it sec-other.

True, though this C++ function is used for more than just Math.random(). In particular, it is also used to seed ExecutableAllocator::computeRandomAllocationAddress() for JIT VirtualAllocs on Windows. But making this bug public is OK.

Comment 5

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/6d8e9838e366

Comment 6

[Jan de Mooij [:jandem]]

Comment on attachment 8696510 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/regressing bug #]: Bug 1206596.
[User impact if declined]: Bogus Math.random() results if /dev/urandom is not available somehow. Broken websites.
[Describe test coverage new/current, TreeHerder]: NA
[Risks and why]: Very low risk.
[String/UUID change made/needed]: None.

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/6d8e9838e366

Comment 8

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8696510 [details] [diff] [review]
Patch

Sure, let's take that in 45.

Comment 9

[Jan de Mooij [:jandem]]

(In reply to Sylvestre Ledru [:sylvestre] from comment #8)
> Sure, let's take that in 45.

Well when I requested approval 2 weeks ago Aurora was still 44, so it was meant for that release :)

Comment 10

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8696510 [details] [diff] [review]
Patch

[Triage Comment]

You mean beta I guess:)

Comment 11

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

This doesn't apply cleanly to beta. Can we get a rebased patch if this needs to land there?

Comment 12

[Jan de Mooij [:jandem]]

(In reply to Wes Kocher (:KWierso) (On vacation until Dec 28) from comment #11)
> This doesn't apply cleanly to beta. Can we get a rebased patch if this needs
> to land there?

Pushed it:

https://hg.mozilla.org/releases/mozilla-beta/rev/7bd6d6fd32da

Comment 13

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/7bd6d6fd32da