diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2016-09-23 09:54:11 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2016-09-23 09:54:11 -0400 |
| commit | 93528f7b41419d4c690ab83f45912e01281a590c (patch) | |
| tree | 4b6ab0320255a5fb9c4192627eac15148093a442 /src/backend | |
| parent | c359178350ac7790437feb817c1fb523838abbd9 (diff) | |
| download | postgresql-93528f7b41419d4c690ab83f45912e01281a590c.tar.gz postgresql-93528f7b41419d4c690ab83f45912e01281a590c.zip | |
Avoid using PostmasterRandom() for DSM control segment ID.
Commits 470d886c3 et al intended to fix the problem that the postmaster
selected the same "random" DSM control segment ID on every start. But
using PostmasterRandom() for that destroys the intended property that the
delay between random_start_time and random_stop_time will be unpredictable.
(Said delay is probably already more predictable than we could wish, but
that doesn't mean that reducing it by a couple orders of magnitude is OK.)
Revert the previous patch and add a comment warning against misuse of
PostmasterRandom. Fix the original problem by calling srandom() early in
PostmasterMain, using a low-security seed that will later be overwritten
by PostmasterRandom.
Discussion: <20789.1474390434@sss.pgh.pa.us>
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/postmaster/postmaster.c | 17 | ||||
| -rw-r--r-- | src/backend/storage/ipc/dsm.c | 3 |
2 files changed, 17 insertions, 3 deletions
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index 949e7e07402..f16a63aadee 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -399,6 +399,7 @@ static void processCancelRequest(Port *port, void *pkt); static int initMasks(fd_set *rmask); static void report_fork_failure_to_client(Port *port, int errnum); static CAC_state canAcceptConnections(void); +static long PostmasterRandom(void); static void RandomSalt(char *md5Salt); static void signal_child(pid_t pid, int signal); static bool SignalSomeChildren(int signal, int targets); @@ -569,6 +570,16 @@ PostmasterMain(int argc, char *argv[]) umask(S_IRWXG | S_IRWXO); /* + * Initialize random(3) so we don't get the same values in every run. + * + * Note: the seed is pretty predictable from externally-visible facts such + * as postmaster start time, so avoid using random() for security-critical + * random values during postmaster startup. At the time of first + * connection, PostmasterRandom will select a hopefully-more-random seed. + */ + srandom((unsigned int) (MyProcPid ^ MyStartTime)); + + /* * By default, palloc() requests in the postmaster will be allocated in * the PostmasterContext, which is space that can be recycled by backends. * Allocated data that needs to be available to backends should be @@ -5075,8 +5086,12 @@ RandomSalt(char *md5Salt) /* * PostmasterRandom + * + * Caution: use this only for values needed during connection-request + * processing. Otherwise, the intended property of having an unpredictable + * delay between random_start_time and random_stop_time will be broken. */ -long +static long PostmasterRandom(void) { /* diff --git a/src/backend/storage/ipc/dsm.c b/src/backend/storage/ipc/dsm.c index 70422972095..b82ae05e155 100644 --- a/src/backend/storage/ipc/dsm.c +++ b/src/backend/storage/ipc/dsm.c @@ -36,7 +36,6 @@ #include "lib/ilist.h" #include "miscadmin.h" -#include "postmaster/postmaster.h" #include "storage/dsm.h" #include "storage/ipc.h" #include "storage/lwlock.h" @@ -180,7 +179,7 @@ dsm_postmaster_startup(PGShmemHeader *shim) { Assert(dsm_control_address == NULL); Assert(dsm_control_mapped_size == 0); - dsm_control_handle = (dsm_handle) PostmasterRandom(); + dsm_control_handle = random(); if (dsm_control_handle == 0) continue; if (dsm_impl_op(DSM_OP_CREATE, dsm_control_handle, segsize, |