dlsym(RTLD_DEFAULT, "getentropy") return non-NULL on Mac
Dmitry Samersoff
dmitry.samersoff at oracle.com
Sat Nov 7 20:29:31 UTC 2015
Wang Weijun,
1. RTLD_DEFAUL call is expensive and dangerous because it cause symbol
search across all loaded images. So it can pick up something absolutely
irrelevant to your expectations at any time.
If you decide to play to this game, you have to use dladdr to check the
origin of a symbol and try to guess whether it is what you are looking
for or not.
Please dlopen(libSystem.dylib, RTLD_NOW) and search through it only.
2. You shouldn't rely on return value of dlopen() or dlsym(). Call
dlerror() and check whether it returns error or NULL.
PS:
What is the goal of using a getentropy ?
-Dmitry
On 2015-11-07 05:51, Wang Weijun wrote:
> I find something strange.
>
> Background: a new method getentropy() is available on OpenBSD [1] and Solaris and people are also proposing it on other OSes.
>
> Therefore inside JDK I write a piece of native code to detect it, something like
>
> typedef int (*GETENTROPY_FN)(char* buffer, int len);
>
> getentropy = (GETENTROPY_FN)dlsym(RTLD_DEFAULT, "getentropy");
> if (getentropy) {
> return 1;
> }
>
> On Mac, it returns non-NULL, but a later call to (*getentropy)(cbuffer, length) shows
>
> # SIGBUS (0xa) at pc=0x0000000103bfa030, pid=22434, tid=5891
> ...
> # Problematic frame:
> # C [libj2rand.dylib+0x1030] getentropy+0x0
>
> However, "man getentropy" does not show anything, and the following simple program also prints out 0x0
>
> #include <dlfcn.h>
> #include <stdlib.h>
>
> main() {
> void* g = dlsym(RTLD_DEFAULT, "getentropy");
> printf("%p\n", g);
> }
>
> What does this mean? Is the JDK code loading another getentropy() somewhere else? How do I detect it and what shall I do to avoid it?
>
> Thanks
> Max
>
> [1] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2
>
--
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.
More information about the security-dev
mailing list