File: git-getrandom-chroot.diff

package info (click to toggle)
glibc 2.36-9%2Bdeb12u13
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bookworm-proposed-updates
  • size: 300,148 kB
  • sloc: ansic: 1,055,755; asm: 324,942; makefile: 15,198; python: 12,603; sh: 10,884; cpp: 5,685; awk: 1,883; perl: 518; yacc: 292; pascal: 182; sed: 39
file content (209 lines) | stat: -rw-r--r-- 6,915 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
 
commit 8fb923ddc38dd5f4bfac4869d70fd80483fdb87a
Author: Sergey Bugaev <bugaevc@gmail.com>
Date:   Fri Dec 2 16:55:58 2022 +0300

    hurd: Make getrandom cache the server port
    
    Previously, getrandom would, each time it's called, traverse the file
    system to find /dev/urandom, fetch some random data from it, then throw
    away that port. This is quite slow, while calls to getrandom are
    genrally expected to be fast.
    
    Additionally, this means that getrandom can not work when /dev/urandom
    is unavailable, such as inside a chroot that lacks one. User programs
    expect calls to getrandom to work inside a chroot if they first call
    getrandom outside of the chroot.
    
    In particular, this is known to break the OpenSSH server, and in that
    case the issue is exacerbated by the API of arc4random, which prevents
    it from properly reporting errors, forcing glibc to abort on failure.
    This causes sshd to just die once it tries to generate a random number.
    
    Caching the random server port, in a manner similar to how socket
    server ports are cached, both improves the performance and works around
    the chroot issue.
    
    Tested on i686-gnu with the following program:
    
    pthread_barrier_t barrier;
    
    void *worker(void*) {
        pthread_barrier_wait(&barrier);
        uint32_t sum = 0;
        for (int i = 0; i < 10000; i++) {
            sum += arc4random();
        }
        return (void *)(uintptr_t) sum;
    }
    
    int main() {
        pthread_t threads[THREAD_COUNT];
    
        pthread_barrier_init(&barrier, NULL, THREAD_COUNT);
    
        for (int i = 0; i < THREAD_COUNT; i++) {
            pthread_create(&threads[i], NULL, worker, NULL);
        }
        for (int i = 0; i < THREAD_COUNT; i++) {
            void *retval;
            pthread_join(threads[i], &retval);
            printf("Thread %i: %lu\n", i, (unsigned long)(uintptr_t) retval);
        }
    
    In my totally unscientific benchmark, with this patch, this completes
    in about 7 seconds, whereas previously it took about 50 seconds. This
    program was also used to test that getrandom () doesn't explode if the
    random server dies, but instead reopens the /dev/urandom anew. I have
    also verified that with this patch, OpenSSH can once again accept
    connections properly.
    
    Signed-off-by: Sergey Bugaev <bugaevc@gmail.com>
    Message-Id: <20221202135558.23781-1-bugaevc@gmail.com>

diff --git a/sysdeps/mach/hurd/getrandom.c b/sysdeps/mach/hurd/getrandom.c
index ad2d3ba387..9ee3ef74fb 100644
--- a/sysdeps/mach/hurd/getrandom.c
+++ b/sysdeps/mach/hurd/getrandom.c
@@ -16,10 +16,13 @@
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
+#include <hurd.h>
 #include <sys/random.h>
 #include <fcntl.h>
-#include <unistd.h>
-#include <not-cancel.h>
+
+__libc_rwlock_define_initialized (static, lock);
+static file_t random_server, random_server_nonblock,
+              urandom_server, urandom_server_nonblock;
 
 extern char *__trivfs_server_name __attribute__((weak));
 
@@ -29,9 +32,36 @@ ssize_t
 __getrandom (void *buffer, size_t length, unsigned int flags)
 {
   const char *random_source = "/dev/urandom";
-  int open_flags = O_RDONLY | O_CLOEXEC;
-  size_t amount_read;
-  int fd;
+  int open_flags = O_RDONLY;
+  file_t server, *cached_server;
+  error_t err;
+  char *data = buffer;
+  mach_msg_type_number_t nread = length;
+
+  switch (flags)
+    {
+    case 0:
+      cached_server = &urandom_server;
+      break;
+    case GRND_RANDOM:
+      cached_server = &random_server;
+      break;
+    case GRND_NONBLOCK:
+      cached_server = &urandom_server_nonblock;
+      break;
+    case GRND_RANDOM | GRND_NONBLOCK:
+      cached_server = &random_server_nonblock;
+      break;
+    default:
+      return __hurd_fail (EINVAL);
+    }
+
+  if (flags & GRND_RANDOM)
+    random_source = "/dev/random";
+  if (flags & GRND_NONBLOCK)
+    open_flags |= O_NONBLOCK;
+  /* No point in passing either O_NOCTTY, O_IGNORE_CTTY, or O_CLOEXEC
+     to file_name_lookup, since we're not making an fd.  */
 
   if (&__trivfs_server_name && __trivfs_server_name
       && __trivfs_server_name[0] == 'r'
@@ -44,19 +74,76 @@ __getrandom (void *buffer, size_t length, unsigned int flags)
     /* We are random, don't try to read ourselves!  */
     return length;
 
-  if (flags & GRND_RANDOM)
-    random_source = "/dev/random";
+again:
+  __libc_rwlock_rdlock (lock);
+  server = *cached_server;
+  if (MACH_PORT_VALID (server))
+    /* Attempt to read some random data using this port.  */
+    err = __io_read (server, &data, &nread, -1, length);
+  else
+    err = MACH_SEND_INVALID_DEST;
+  __libc_rwlock_unlock (lock);
 
-  if (flags & GRND_NONBLOCK)
-    open_flags |= O_NONBLOCK;
+  if (err == MACH_SEND_INVALID_DEST || err == MIG_SERVER_DIED)
+    {
+      file_t oldserver = server;
+      mach_port_urefs_t urefs;
+
+      /* Slow path: the cached port didn't work, or there was no
+         cached port in the first place.  */
+
+      __libc_rwlock_wrlock (lock);
+      server = *cached_server;
+      if (server != oldserver)
+        {
+          /* Someone else must have refetched the port while we were
+             waiting for the lock. */
+          __libc_rwlock_unlock (lock);
+          goto again;
+        }
+
+      if (MACH_PORT_VALID (server))
+        {
+          /* It could be that someone else has refetched the port and
+             it got the very same name.  So check whether it is a send
+             right (and not a dead name).  */
+          err = __mach_port_get_refs (__mach_task_self (), server,
+                                      MACH_PORT_RIGHT_SEND, &urefs);
+          if (!err && urefs > 0)
+            {
+              __libc_rwlock_unlock (lock);
+              goto again;
+            }
+
+          /* Now we're sure that it's dead.  */
+          __mach_port_deallocate (__mach_task_self (), server);
+        }
+
+      server = *cached_server = __file_name_lookup (random_source,
+                                                    open_flags, 0);
+      __libc_rwlock_unlock (lock);
+      if (!MACH_PORT_VALID (server))
+        /* No luck.  */
+        return -1;
+
+      goto again;
+    }
+
+  if (err)
+    return __hurd_fail (err);
 
-  fd = __open_nocancel(random_source, open_flags);
-  if (fd == -1)
-    return -1;
+  if (data != buffer)
+    {
+      if (nread > length)
+        {
+          __vm_deallocate (__mach_task_self (), (vm_address_t) data, nread);
+          return __hurd_fail (EGRATUITOUS);
+        }
+      memcpy (buffer, data, nread);
+      __vm_deallocate (__mach_task_self (), (vm_address_t) data, nread);
+    }
 
-  amount_read = __read_nocancel(fd, buffer, length);
-  __close_nocancel_nostatus(fd);
-  return amount_read;
+  return nread;
 }
 
 libc_hidden_def (__getrandom)