Re: [ANN] Lua 5.3.2 (rc1) now available

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: [ANN] Lua 5.3.2 (rc1) now available
From: Coda Highland <chighland@...>
Date: Thu, 19 Nov 2015 11:31:45 -0800

On Thu, Nov 19, 2015 at 10:55 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
> 2015-11-19 20:49 GMT+02:00 Roberto Ierusalimschy <roberto@inf.puc-rio.br>:
>>> Lua 5.3.2 (rc1) is now available for testing at
>>>       http://www.lua.org/work/
>>
>> What is new:
>>
>> - table.sort "randomize" the pivot
>
> This is done as follows:
>
> static int choosePivot (int lo, int up) {
>   unsigned int t = (unsigned int)(unsigned long)time(NULL);  /* time */
>   unsigned int c = (unsigned int)(unsigned long)clock();  /* clock */
>   unsigned int r4 = (unsigned int)(up - lo) / 4u;  /* range/4 */
>   unsigned int p = (c + t) % (r4 * 2) + (lo + r4);
>   lua_assert(lo + r4 <= p && p <= up - r4);
>   return (int)p;
> }
>
> Since `time` returns a number of seconds, the value of `t` is quite
> likely to be constant for any given invocation of `sort`.
>
> Not very random.
>

That's why it's added to c, which is a high-resolution timer of the
process's uptime.

It's very likely that an app that does a sort after startup will have
fairly predictable c values, but it would require some pretty good
engineering on an attacker's part to be able to control both t AND c.
Not impossible, but nontrivial, and that's probably enough.

/s/ Adam

Follow-Ups:
- Re: [ANN] Lua 5.3.2 (rc1) now available, Roberto Ierusalimschy

References:
- [ANN] Lua 5.3.2 (rc1) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.3.2 (rc1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.3.2 (rc1) now available, Dirk Laurie

Prev by Date: Re: [ANN] Lua 5.3.2 (rc1) now available
Next by Date: Re: [ANN] Lua 5.3.2 (rc1) now available
Previous by thread: Re: [ANN] Lua 5.3.2 (rc1) now available
Next by thread: Re: [ANN] Lua 5.3.2 (rc1) now available
Index(es):
- Date
- Thread