Closed Bug 819775 Opened 12 years ago Closed 11 years ago

js_InitRandom: Don't use pointer values in seeding the random number generator

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox21 + fixed
firefox-esr10 --- wontfix
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: jorendorff, Unassigned)

Details

(Keywords: sec-moderate, Whiteboard: [js:t][adv-main21+]) 

Follow-up to bug 811355.

We have this code (word-wrapped for bugzilla):
> void
> js_InitRandom(JSContext *cx)
> {
>     /*
>      * Set the seed from current time. Since we have a RNG per context and we
>      * often bring up several contexts at the same time, we xor in some
>      * additional values, namely the context and its successor. We don't just
>      * use the context because it might be possible to reverse engineer the
>      * context pointer if one guesses the time right.
>      */
>     random_setSeed(&cx->rngSeed,
>         (PRMJ_Now() / 1000) ^ int64_t(cx) ^ int64_t(cx->getNext()));
> }

cx->getNext() is always null here.

This is not exploitable by itself, but I'd be shocked if an attacker couldn't recover cx. sec-moderate.
What to do about it? It depends on the desired behavior.

Maybe all we're trying to avoid is opening a JS demo in four windows and having the random number stream be the same in all four; that is, avoid having the non-randomness be embarrassingly obvious. If that's the case, we can use rt->nonce++ instead of int64_t(cx).

If there is any security requirement at all, the weakest one I can think of is:

    Scripts in one domain should not be able to guess the RNG seed
    of a new window in another domain.

That is actually a reasonable property to consider providing. And we can file a separate bug in the clear for that, and land it, and it'll look like a general tightening-up rather than a fix for an existing issue.

(I don't know how to do it short of going to the OS for secure-random bits, at least once per runtime and more likely once per context. But that's an acceptable cost, right?)
Aside: The random number seed should be per-global (stored in JSCompartment) rather than per-context anyway.
Talked it over with decoder and settled on the rt->nonce++ approach.

Patch posted in bug 820180.
Whiteboard: [js:t]
Fixed in bug 820180.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [js:t] → [js:t][adv-main20+]
Whiteboard: [js:t][adv-main20+] → [js:t][adv-main21+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.