`getrandom_msan` flag masks bugs in underlying implementations

[briansmith]

In PR #521 and PR #571, the getrandom_msan configuration flag was added, which causes getrandom to mark the resulting buffer unpoisoned for Memory Sanitizer, if the underlying implementation returned Ok. This masks bugs in the underlying implementation in the situation where it returned Ok without actually writing the entire output into the buffer.

Instead, each backend should do the unpoisoning if/when required. Further, the implementation should do it immediately after calling the syscall (or whatever) that writes to the buffer, inside any loops, and not after the short-read processing loop exits.

For example, let's say we want to use memory sanitizer to verify that we properly handle the operating system doing a "short read" where it returns less data than we expected. Such validation will be thwarted by the current implementation.

In particular, in the case of a custom backend, the custom backend should do its own unpoisoning. Note that many custom implementations will implicitly unpoison the buffer as they write data into it, so usually they won't need to do anything.

To test this, register a custom implementation that unconditionally returns Ok without doing anything.

A side-benefit of this is that we will reduce the number of targets where we actually need the msan library to be linked to the minimum (maybe just Linux)?.

[briansmith]

It may be useful to look at PR #463, which implements the strategy I suggest above.

[newpavlov]

I think our current implementation of fill_uninit is sufficient. We do not support "short reads", so in the case of an error content of the buffer is undefined and users should not read data from it.

[briansmith]

We do not support "short reads", so in the case of an error content of the buffer is undefined and users should not read data from it.

Thanks for the response. I think there is a misunderstanding. w.r.t. short reads, the issue is that if we had any logic bugs in a backend in how they deal with short reads, the current implementation of unpoisoning would mask those bugs from MSAN.

I've submitted PR #678 which implements this. I think the PR makes it clearer what I'm suggesting.

[newpavlov]

Ah, I see. You want to use the sanitizer to guard against potential bugs in getrandom implementation. Personally, I don't see much value in it (our loops are really straightforward, well reviewed, and did not contain any bugs which would've been caught by this), but I am also not against doing it, so I will wait for input from @josephlr and @dhardy.

[briansmith]

Yes, and specifically I want MSAN to trigger on such bugs in custom implementations, which it cannot do with the current code.

[newpavlov]

Hm, so custom implementations would be responsible for unpoisioning the filled buffer? I can see the logic in doing it like this, but I have a concern that many custom implementations will not do it in practice.

Maybe we could add a configuration flag which would disable the unpoisioning in fill_uninit?

[briansmith]

Hm, so custom implementations would be responsible for unpoisioning the filled buffer?

Yes.

I can see the logic in doing it like this, but I have a concern that many custom implementations will not do it in practice.

As you can see in PR #678, only extremely low-level implementations that bypass the Rust and C standard libraries will fail to automatically unpoison as they write to the output buffer. That is why most of our implementations do not need manual unpoisoning. So very few implementations would be affected by it.

[newpavlov]

Fixed in #678.