From: Taylor Blau <me@ttaylorr.com>
To: Jeff King <peff@peff.net>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>, git@vger.kernel.org
Subject: Re: [PATCH 2/2] wrapper: use a CSPRNG to generate random file names
Date: Tue, 16 Nov 2021 13:28:44 -0500 [thread overview]
Message-ID: <YZP4XDtF7O7Sxh17@nand.local> (raw)
In-Reply-To: <YZPQE+SKVXjexXMT@coredump.intra.peff.net>
On Tue, Nov 16, 2021 at 10:36:51AM -0500, Jeff King wrote:
> On Tue, Nov 16, 2021 at 03:35:42AM +0000, brian m. carlson wrote:
>
> > The current way we generate random file names is by taking the seconds
> > and microseconds, plus the PID, and mixing them together, then encoding
> > them. If this fails, we increment the value by 7777, and try again up
> > to TMP_MAX times.
> >
> > Unfortunately, this is not the best idea from a security perspective.
> > If we're writing into TMPDIR, an attacker can guess these values easily
> > and prevent us from creating any temporary files at all by creating them
> > all first. POSIX only requires TMP_MAX to be 25, so this is achievable
> > in some contexts, even if unlikely to occur in practice.
>
> I think we unconditionally define TMP_MAX as 16384. I don't think that
> changes the fundamental issue that somebody could race us and win,
> though.
Yes, we do. Right above the declaration of this function (and so hidden
from the context) we do:
#undef TMP_MAX
#define TMP_MAX 16384
I don't think that the value of TMP_MAX makes this substantially less
likely, so I agree that the fundamental issue is the same.
> > @@ -485,12 +483,13 @@ int git_mkstemps_mode(char *pattern, int suffix_len, int mode)
> > * Replace pattern's XXXXXX characters with randomness.
> > * Try TMP_MAX different filenames.
> > */
> > - gettimeofday(&tv, NULL);
> > - value = ((uint64_t)tv.tv_usec << 16) ^ tv.tv_sec ^ getpid();
> > filename_template = &pattern[len - num_x - suffix_len];
> > for (count = 0; count < TMP_MAX; ++count) {
> > - uint64_t v = value;
> > int i;
> > + uint64_t v;
> > + if (csprng_bytes(&v, sizeof(v)) < 0)
> > + return -1;
>
> If csprng_bytes() fail, the resulting errno is likely to be confusing.
> E.g., if /dev/urandom doesn't exist we'd get ENOENT. But the caller is
> likely to say something like:
>
> error: unable to create temporary file: no such file or directory
>
> which is misleading. It's probably worth doing:
>
> return error_errno("unable to get random bytes for temporary file");
>
> or similar here. That's verbose on top of the error that the caller will
> give, but this is something we don't expect to fail in practice.
>
> I actually wonder if we should simply die() in such a case. That's not
> very friendly from a libification stand-point, but we really can't
> progress on much without being able to generate random bytes.
Alternatively, we could fall back to the existing code paths. This is
somewhat connected to my suggestion to Randall earlier in the thread.
But I would rather see that fallback done at compile-time for platforms
that don't give us an easy-to-use CSPRNG, and avoid masking legitimate
errors caused from trying to use a CSPRNG that should exist.
Thanks,
Taylor
next prev parent reply other threads:[~2021-11-16 18:29 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-16 3:35 [PATCH 0/2] Generate temporary files using a CSPRNG brian m. carlson
2021-11-16 3:35 ` [PATCH 1/2] wrapper: add a helper to generate numbers from " brian m. carlson
2021-11-16 15:31 ` Jeff King
2021-11-16 16:01 ` rsbecker
2021-11-16 18:22 ` Taylor Blau
2021-11-16 19:58 ` rsbecker
2021-11-16 22:41 ` brian m. carlson
2021-11-16 23:20 ` rsbecker
2021-11-17 0:47 ` Carlo Arenas
2021-11-17 3:05 ` rsbecker
2021-11-17 1:03 ` brian m. carlson
2021-11-17 1:50 ` Carlo Arenas
2021-11-17 3:04 ` Jeff King
2021-11-17 3:12 ` rsbecker
2021-11-17 3:36 ` Carlo Arenas
2021-11-17 20:01 ` Jeff King
2021-11-17 20:19 ` rsbecker
2021-11-17 23:30 ` brian m. carlson
2021-11-17 23:34 ` rsbecker
2021-11-17 3:03 ` rsbecker
2021-11-17 7:39 ` Junio C Hamano
2021-11-17 23:01 ` brian m. carlson
2021-11-18 7:19 ` Junio C Hamano
2021-11-18 22:16 ` brian m. carlson
2021-11-22 9:10 ` Junio C Hamano
2021-11-16 3:35 ` [PATCH 2/2] wrapper: use a CSPRNG to generate random file names brian m. carlson
2021-11-16 15:36 ` Jeff King
2021-11-16 18:28 ` Taylor Blau [this message]
2021-11-16 18:57 ` Junio C Hamano
2021-11-16 19:21 ` Jeff King
2021-11-16 19:33 ` Taylor Blau
2021-11-16 15:44 ` [PATCH 0/2] Generate temporary files using a CSPRNG Jeff King
2021-11-16 22:17 ` brian m. carlson
2021-11-16 22:29 ` rsbecker
2021-11-16 20:35 ` Ævar Arnfjörð Bjarmason
2021-11-16 21:06 ` Jeff King
2021-11-17 8:36 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YZP4XDtF7O7Sxh17@nand.local \
--to=me@ttaylorr.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).