--- Begin Message ---
Package: libc6
Version: 2.13-10
Severity: normal
fopen()/fread() is used by some software packages (I noticed it via ECL) to
read data from /dev/urandom.
But fread() reads more bytes than specified (rounded up to 4096!), thereby
decreasing the available entropy by a large amount.
To test, compile this program:
#include <stdio.h>
void main()
{
FILE *fh;
fh = fopen("/dev/urandom", "r");
fread(&fh, 1, 1, fh);
}
and run via strace:
...
brk(0x1e64000) = 0x1e64000
open("/dev/urandom", O_RDONLY) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7ffff68dbb60) = -1 EINVAL
(Invalid argument)
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fac45b34000
read(3, "\242\261\204\215\221\313\253#\336\355\336u\37\3Gl\374
\332\301\271\363Z\327\7@.ziU\324\305"..., 4096) = 4096
This is a bug IMO; with urandom it discards a lot of entropy, and with random
it might cause hangs.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libc6 depends on:
ii libc-bin 2.13-10 Embedded GNU C Library: Binaries
ii libgcc1 1:4.6.1-4 GCC support library
libc6 recommends no packages.
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.40 Debian configuration management sy
pn glibc-doc <none> (no description available)
ii locales 2.13-10 Embedded GNU C Library: National L
-- debconf information:
* glibc/upgrade: true
glibc/disable-screensaver:
glibc/restart-failed:
* glibc/restart-services: ssh postfix openbsd-inetd cups cron atd apache2
--- End Message ---
--- Begin Message ---
- To: 636266-done@bugs.debian.org
- Subject: Re: ibc6: fread(buf, 1, 1) from urandom consumes 4096 bytes of entropy
- From: Petr Salinger <Petr.Salinger@seznam.cz>
- Date: Tue, 02 Aug 2011 18:54:41 +0200 (CEST)
- Message-id: <60786.10050.16516-29544-1472601700-1312304081@seznam.cz>
> fopen()/fread() is used by some software packages (I noticed it via ECL) to
> read data from /dev/urandom.
So fix/report bug against these packages.
Iff the application does not want to use buffered io,
just ask for it - add "setbuf(fh, NULL)".
Your sample program should be
#include <stdio.h>
void main()
{
FILE *fh;
fh = fopen("/dev/urandom", "r");
setbuf(fh, NULL);
fread(&fh, 1, 1, fh);
}
Petr
--- End Message ---