In this case, the warning _is_ the bug. The code was fine and had no bug, it intentionally fed unitialised memory to the entropy pool. The 'bug' was in the interaction with valgrind, which rightly operates under the assumption that using uninitalised memory is 'bad' and thus generates a warning. However here it hit the (probably only) corner case where using unitialised memory is 'good' and thus the warning was bogus. Someone asked the Debian Maintainer to fix this warning. Instead of using a valgrind-specific workaround (add information to the executable which tells valgrind 'treat this as initialised memory') he chose to remove the code feeding uninitialised memory to the entropy pool. If he hadn't botched up the patch and crippled the entropy pool, this would be a reasonable solution to the problem, since Linux has a good internal entropy generator (/dev/random) which is also used to feed the pool. AFAICS adding uninitialised memory is more of a fallback "in case there is no /dev/random or /dev/random is broken, we still have _some_ more entropy than just the pid and time" (or whatever else gets mixed in). But: IANASE (I am not a security expert)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds