Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: set CARES_RANDOM_FILE for c-ares #48156

Merged
merged 1 commit into from
May 26, 2023
Merged

deps: set CARES_RANDOM_FILE for c-ares #48156

merged 1 commit into from
May 26, 2023

Conversation

richardlau
Copy link
Member

Upstream c-ares renamed RANDOM_FILE to CARES_RANDOM_FILE some time ago in c-ares 1.17.2.

Refs: c-ares/c-ares#397

@richardlau
deps: set CARES_RANDOM_FILE for c-ares
0df81fa 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.
@richardlau richardlau added lts-watch-v16.x lts-watch-v18.x PRs that may need to be released in v18.x. labels May 24, 2023
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. labels May 24, 2023
@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label May 24, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label May 24, 2023
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51948/

mhdawson
mhdawson approved these changes May 24, 2023
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51951/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51954/

@richardlau richardlau added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label May 24, 2023
bnoordhuis
bnoordhuis approved these changes May 24, 2023
View reviewed changes
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but the c-ares logic from before yesterday's upgrade looks broken to me:

node/deps/cares/src/lib/ares_init.c

Lines 2189 to 2202 in 0e79635

# ifdef CARES_RANDOM_FILE
FILE *f = fopen(CARES_RANDOM_FILE, "rb");
if(f) {
setvbuf(f, NULL, _IONBF, 0);
counter = aresx_uztosi(fread(key, 1, key_data_len, f));
fclose(f);
}
# endif
#endif /* WIN32 */
if (!randomized) {
for (;counter<key_data_len;counter++)
key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */
}

It reads from /dev/urandom but then overwrites the result with rand()...

Should probably be filed as a security bug against the current release lines because it results in somewhat predictable DNS sequence ids.

The latest c-ares still falls back to that code path when /dev/urandom isn't accessible.

@richardlau
Copy link
Member Author

LGTM but the c-ares logic from before yesterday's upgrade looks broken to me:

node/deps/cares/src/lib/ares_init.c

Lines 2189 to 2202 in 0e79635

# ifdef CARES_RANDOM_FILE
FILE *f = fopen(CARES_RANDOM_FILE, "rb");
if(f) {
setvbuf(f, NULL, _IONBF, 0);
counter = aresx_uztosi(fread(key, 1, key_data_len, f));
fclose(f);
}
# endif
#endif /* WIN32 */
if (!randomized) {
for (;counter<key_data_len;counter++)
key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */
}

It reads from /dev/urandom but then overwrites the result with rand()...

It doesn't reset counter so should not be overwriting the bytes read from /dev/urandom.

@bnoordhuis
Copy link
Member

Right, but it assumes the read always succeeds with the requested number of bytes. At least musl libc sometimes return short or zero reads (e.g. when interrupted by a signal) and other libcs probably do too.

#define HAVE_ARC4RANDOM_BUF 1 on Linux could help because it's provided by glibc and handles edge cases like ☝️ but it's missing from musl...

@github-actions github-actions bot mentioned this pull request May 25, 2023
Open
21 tasks
@bnoordhuis
Copy link
Member

#define HAVE_ARC4RANDOM_BUF 1 on Linux could help because it's provided by glibc and handles edge cases like ☝️ but it's missing from musl...

Next best thing: c-ares/c-ares#526

@github-actions github-actions bot mentioned this pull request May 26, 2023
Open
21 tasks
@richardlau richardlau added the commit-queue Add this label to land a pull request using GitHub Actions. label May 26, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label May 26, 2023
@nodejs-github-bot nodejs-github-bot merged commit 70da075 into nodejs:main May 26, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 70da075

This was referenced May 27, 2023
Open
Open
Open
Open
targos pushed a commit that referenced this pull request May 30, 2023
@richardlau @targos
deps: set CARES_RANDOM_FILE for c-ares
3047cae 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: #48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@github-actions github-actions bot mentioned this pull request May 31, 2023
Open
22 tasks
@targos targos mentioned this pull request Jun 4, 2023
Merged
denihs pushed a commit to meteor/node-v14-esm that referenced this pull request Jun 22, 2023
@richardlau @denihs
deps: set CARES_RANDOM_FILE for c-ares
7d4da40 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@mxdvl mxdvl mentioned this pull request Jun 23, 2023
Merged
erikolofsson pushed a commit to Malterlib/node that referenced this pull request Jun 26, 2023
@richardlau @erikolofsson
deps: set CARES_RANDOM_FILE for c-ares
704b543 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
erikolofsson pushed a commit to Malterlib/node that referenced this pull request Jun 26, 2023
@richardlau @erikolofsson
deps: set CARES_RANDOM_FILE for c-ares
78159c8 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
denihs pushed a commit to meteor/node-v14-esm that referenced this pull request Jul 3, 2023
@richardlau @denihs
deps: set CARES_RANDOM_FILE for c-ares
8baf61c 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
@richardlau @Ceres6
deps: set CARES_RANDOM_FILE for c-ares
46a72e0 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
@richardlau @Ceres6
deps: set CARES_RANDOM_FILE for c-ares
936dcc4 
Upstream c-ares renamed `RANDOM_FILE` to `CARES_RANDOM_FILE` some
time ago in c-ares 1.17.2.

PR-URL: nodejs#48156
Refs: c-ares/c-ares#397
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@richardlau richardlau deleted the cares branch August 24, 2023 12:21
@richardlau richardlau added backported-to-v18.x PRs backported to the v18.x-staging branch. and removed lts-watch-v18.x PRs that may need to be released in v18.x. labels Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhdawson mhdawson mhdawson approved these changes

@bnoordhuis bnoordhuis bnoordhuis approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. backported-to-v18.x PRs backported to the v18.x-staging branch. cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@richardlau @nodejs-github-bot @bnoordhuis @mhdawson