Call abort() if NSS cannot read from /dev/urandom.

nss/lib/freebl/unix_rand.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <stdio.h>
 #include <string.h>
 #include <signal.h>
 #include <unistd.h>
 #include <limits.h>
 #include <errno.h>
@@ skipping 900 matching lines @@
  *
  * Bug 174993: On platforms providing /dev/urandom, don't fork netstat
  * either, if data has been gathered successfully.
  */
 
 #if defined(BSDI) || defined(FREEBSD) || defined(NETBSD) \
     || defined(OPENBSD) || defined(DARWIN) || defined(LINUX) \
     || defined(HPUX)
     if (bytes)
         return;
+
+    /*
+     * Modified to abort the process if it failed to read from /dev/urandom.
+     *
+     * See crbug.com/244661 for details.
+     */
+    fprintf(stderr, "[ERROR:%s(%d)] NSS failed to read from /dev/urandom. "
+            "Abort process.\n", __FILE__, __LINE__);
+    fflush(stderr);
+    abort();
 #endif
 
 #ifdef SOLARIS
 
 /*
  * On Solaris, NSS may be initialized automatically from libldap in
  * applications that are unaware of the use of NSS. safe_popen forks, and
  * sometimes creates issues with some applications' pthread_atfork handlers.
  * We always have /dev/urandom on Solaris 9 and above as an entropy source,
  * and for Solaris 8 we have the libkstat interface, so we don't need to
@@ skipping 30 matching lines @@
     FILE *        file;
     size_t        bytes;
     size_t        fileBytes = 0;
     struct stat   stat_buf;
     unsigned char buffer[BUFSIZ];
     static size_t totalFileBytes = 0;
     
     /* suppress valgrind warnings due to holes in struct stat */
     memset(&stat_buf, 0, sizeof(stat_buf));
 
-    if (stat((char *)fileName, &stat_buf) < 0)
-        return fileBytes;
-    RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
+    if (stat((char *)fileName, &stat_buf) == 0)
+        RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));

[wtc, 2013/06/10 19:39:37]

This change is required only if we don't have the file-read-metadata
permission for /dev/urandom.  See https://codereview.chromium.org/16748002/

My preference is to allow file-read-metadata for /dev/urandom.

     
     file = fopen((char *)fileName, "r");
     if (file != NULL) {
         while (limit > fileBytes) {
             bytes = PR_MIN(sizeof buffer, limit - fileBytes);
             bytes = fread(buffer, 1, bytes, file);
             if (bytes == 0) 
                 break;
             RNG_RandomUpdate(buffer, bytes);
             fileBytes      += bytes;
@@ skipping 141 matching lines @@
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
     FILE *file;
     size_t bytes;
     size_t fileBytes = 0;
     unsigned char *buffer = dest;
 
     file = fopen("/dev/urandom", "r");
     if (file == NULL) {
-        return rng_systemFromNoise(dest, maxLen);
+        /*
+         * Modified to abort the process if it failed to read from /dev/urandom.
+         *
+         * See crbug.com/244661 for details.
+         */
+        fprintf(stderr, "[ERROR:%s(%d)] NSS failed to read from /dev/urandom. "
+                        "Abort process.\n", __FILE__, __LINE__);
+        fflush(stderr);
+        abort();
     }
     while (maxLen > fileBytes) {
         bytes = maxLen - fileBytes;
         bytes = fread(buffer, 1, bytes, file);
         if (bytes == 0) 
             break;
         fileBytes += bytes;
         buffer += bytes;
     }
     fclose(file);
     if (fileBytes != maxLen) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
         fileBytes = 0;
     }
     return fileBytes;
 }