GNU bug report logs - #13768
--without-posix code uses scm_getpid() in libguile-2.0.2

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 13768 in the body.
You can then email your comments to 13768 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jan Schukat <shookie <at> email.de>
To: bug-guile <at> gnu.org
Subject: --without-posix code uses scm_getpid() in libguile-2.0.2
Date: Wed, 20 Feb 2013 00:38:15 +0100

I'm experimenting a little with statically linking a minimal build of 
libguile. So while no one really would want to build it it with 
--without-posix (except when you want the same functionality on all 
platforms including windows in your program), and this is a low priority 
bug and I can easily fix it myself for my purposes, it is still a bug.

What happens is, in random.c in random_state_of_last_resort on line 668 
scm_getpid is used to seed the random generator. So either a 
preprocessor switch or a hand constructed scm like in scm_getpid 
(scm_from_ulong(getpid())) should be used there.

Regards

Message #10 received at 13768-done <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: Jan Schukat <shookie <at> email.de>
Cc: 13768-done <at> debbugs.gnu.org
Subject: Re: bug#13768: --without-posix code uses scm_getpid() in
	libguile-2.0.2
Date: Sun, 24 Feb 2013 20:21:54 +0100

On Wed 20 Feb 2013 00:38, Jan Schukat <shookie <at> email.de> writes:

> What happens is, in random.c in random_state_of_last_resort on line 668
> scm_getpid is used to seed the random generator. So either a
> preprocessor switch or a hand constructed scm like in scm_getpid
> (scm_from_ulong(getpid())) should be used there.

Fixed, thanks for the report.

Andy
-- 
http://wingolog.org/

Message #13 received at 13768 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: 13768 <at> debbugs.gnu.org
Cc: wingo <at> pobox.com, shookie <at> email.de
Subject: Re: bug#13768: --without-posix code uses scm_getpid() in
	libguile-2.0.2
Date: Sun, 24 Feb 2013 20:17:47 -0500

reopen 13768
thanks

Andy Wingo <wingo <at> pobox.com> writes:

> On Wed 20 Feb 2013 00:38, Jan Schukat <shookie <at> email.de> writes:
>
>> What happens is, in random.c in random_state_of_last_resort on line 668
>> scm_getpid is used to seed the random generator. So either a
>> preprocessor switch or a hand constructed scm like in scm_getpid
>> (scm_from_ulong(getpid())) should be used there.
>
> Fixed, thanks for the report.

This has potential security implications.  If the same program is run
multiple times in the same second, then without something like a PID,
there's a significant danger that two runs of the program will use the
same random seed.

Therefore, I think we ought to try hard to ensure that something like a
PID will always be included in this seed.  Perhaps 'scm_getpid' should
be included even when building --without-posix.

At the very least, the documentation (which currently claims that the
PID is included in the random-state-of-last-resort) should be adjusted
to reflect the new reality.  I just took care of that.

     Thanks,
       Mark

Message #18 received at 13768 <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 13768 <at> debbugs.gnu.org, shookie <at> email.de
Subject: Re: bug#13768: --without-posix code uses scm_getpid() in
	libguile-2.0.2
Date: Mon, 25 Feb 2013 10:06:38 +0100

On Mon 25 Feb 2013 02:17, Mark H Weaver <mhw <at> netris.org> writes:

> Andy Wingo <wingo <at> pobox.com> writes:
>
>> On Wed 20 Feb 2013 00:38, Jan Schukat <shookie <at> email.de> writes:
>>
>>> What happens is, in random.c in random_state_of_last_resort on line 668
>>> scm_getpid is used to seed the random generator. So either a
>>> preprocessor switch or a hand constructed scm like in scm_getpid
>>> (scm_from_ulong(getpid())) should be used there.
>>
>> Fixed, thanks for the report.
>
> This has potential security implications.  If the same program is run
> multiple times in the same second, then without something like a PID,
> there's a significant danger that two runs of the program will use the
> same random seed.

Our PRNG is not secure.  We should not be making arguments from the
perspective of security.  (I think including the PID is a good thing,
but not because of security.)

> Therefore, I think we ought to try hard to ensure that something like a
> PID will always be included in this seed.  Perhaps 'scm_getpid' should
> be included even when building --without-posix.

Why don't we just add the result of getpid() without relying on the
scm_getpid() binding.  All platforms have it.

> At the very least, the documentation (which currently claims that the
> PID is included in the random-state-of-last-resort) should be adjusted
> to reflect the new reality.  I just took care of that.

Thanks for following up.  TBH though I would prefer that if you already
know the solution, to go ahead and fix it instead of writing a mail and
fixing the docs.  Much easier on users (and developers :) if Guile just
does the right thing.

Andy
-- 
http://wingolog.org/

Message #23 received at 13768-done <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Andy Wingo <wingo <at> pobox.com>
Cc: 13768-done <at> debbugs.gnu.org, shookie <at> email.de
Subject: Re: bug#13768: --without-posix code uses scm_getpid() in
	libguile-2.0.2
Date: Mon, 25 Feb 2013 13:58:27 -0500

Hi Andy,

Andy Wingo <wingo <at> pobox.com> writes:
> Our PRNG is not secure.  We should not be making arguments from the
> perspective of security.  (I think including the PID is a good thing,
> but not because of security.)

Indeed, point well taken.

> Why don't we just add the result of getpid() without relying on the
> scm_getpid() binding.  All platforms have it.

Ah, good!  I didn't know that getpid() was available on MinGW.

> Thanks for following up.  TBH though I would prefer that if you already
> know the solution, to go ahead and fix it instead of writing a mail and
> fixing the docs.

Agreed.  I didn't know the solution until just now.  I have done as you
suggested above, and am now closing this bug.

    Thanks,
      Mark

Message #26 received at 13768-done <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 13768-done <at> debbugs.gnu.org, shookie <at> email.de
Subject: Re: bug#13768: --without-posix code uses scm_getpid() in
	libguile-2.0.2
Date: Mon, 25 Feb 2013 21:39:42 +0100

On Mon 25 Feb 2013 19:58, Mark H Weaver <mhw <at> netris.org> writes:

>> Why don't we just add the result of getpid() without relying on the
>> scm_getpid() binding.  All platforms have it.
>
> Ah, good!  I didn't know that getpid() was available on MinGW.
>
>> Thanks for following up.  TBH though I would prefer that if you already
>> know the solution, to go ahead and fix it instead of writing a mail and
>> fixing the docs.
>
> Agreed.  I didn't know the solution until just now.  I have done as you
> suggested above, and am now closing this bug.

Super, thank you!

FWIW, --disable-posix has two uses.  One is to work around compilation
failures, and the other is to decrease the "interface size" of Guile.
But sometimes they are a bit entangled, which is the case for scm_getpid
that might get removed when you're just looking to get around some
compilation failure.

Cheers,

Andy
-- 
http://wingolog.org/

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.