Description
I was using the following code to produce a 4KiB random binary file:
<?php
$Random_Key = "";
for ($Count = 0; $Count < 4096; $Count++) {
$Random_Key .= chr(rand(0, 255));
}
file_put_contents("/tmp/testing.bin", $Random_Key);
?>I noticed that on most runs of the code, there were long sequences of dashes "---------" showing up on most runs of the code. Sometimes there were no sequences of dashes, and this would carry on for numerous runs in a row. But inevitably, the same code would again produce long sequences of dash characters. I am viewing the binary file in Vim for ease of use on the terminal, which changes non-printable characters to . There doesn't appear to be any other repeated sequences apart from dashes in any of the outputs.
First portion of output with repeating dashes:
Wý^HÀLÛ$^K0Õq<93>cmo]MY<93>äíø÷C<91><95>GÈ^[_^Hø^^<96>w={^B^A^S<93>¤<99>Æ^M<8a>1^_`<82>x¯<8b>>-------------------------^PKf^U7^Z|±ðhÌ^Z^Q»Æ^G^WþÝ<9f>^Ou-'ÍH+¼Ï* ^\<89>Ó^Cpmk8%ÏmOÉÁ+<83>í7ïèè^X^\<97>^Lf§Uø1^_^PÈ2¯þùgÄZÌ^<92>´¹)3 ý!
Another portion with repeating dashes:
]äÈUÚzaÆ<94>Q<92><9a><89>Fb_Ý<<82>Ïîô^Y<88>Q·Ìñ<95>ô|:ë^AÖ>--------------------------^PâÅÁ^WØI8<8c><94>oëÂlS£HX^Wq<9d>ÁÑ^W<96>Q<9a><82>ªÂjG̳ê_Zío0<81>Xm<82>Å#jÌ0<87>¬^B<90>4Âahã\¦|<8c>v<95>ÇÙÔÄ*ñÝ>--^L<90>où^NJ©^NuÆ´Ö<87>h³S<87>OL<ÁÈýg^PW
Final portion with dashes repeating:
a>^TÊ£<95>^\>--'"pe~^\^Ln<90>@^Tû~UÕ3<91>>--------E<8c>e2P5ç:S%8Zgèue^[Vq<83>×5HÃ8eÅ<8a><80>Wº^C}$pö<8f>g
When the dashes problem is occurring, it usually appears more than once in the 4KiB of binary data. On this same output file, there are a total of 3 sets of long dash sequences. Possibly 5, as there are two other instances of "--" appearing above, which may or may not be random.
But I expected this output instead:
I expect fairly random output, with no long sequence of dash characters.
Reading the page on rand() it says that mt_rand() should be used for better random numbers, and also says that rand() is an alias for mt_rand(). I then found the random_bytes() function, which is supposed to produce cryptographically secure byte sequences -- but this function also produces the exact same sequences of dashes!
Again, not every time. It happens for a while, then doesn't happen.
This code was being run via Nginx with PHP-FPM, so I decided to try it directly on the command line with php -r '...', and it had the same exact issue of dashes appearing... but then it stopped producing them after a dozen or so runs. After this I wrote a Bash one-liner to run it repeatedly and check is the output file contained a sequence of more than 8 dashes in a row, and it didn't produce them even with thousands of iterations. I don't know what triggers the dashes to appear or not appear, but they keep coming back without changing my code. After testing on the command line, I went back to PHP-FPM where I had switched to using random_bytes(), and it immediately had the sequence of dashes I posted above (3 sets of dashes in the random bytes). Almost every reload of the page it has the dashes.
When the problem occurs, there are most often 2 or 3 long sequences of dashes in a row. For the length of dashes appearing in a row, I have noticed up to ~75 or so, which is definitely impossible to be random.
Has anyone ever seen long sequences of non-random bytes like this before? But only at random, not every time?
Note: I am using Ubuntu 20.04.6 LTS running on Windows Subsystem for Linux. On this platform it runs a patched Linux kernel (5.10.102.1-microsoft-standard-WSL2) that runs directly on top of Windows 10/11. I have not noticed any other issues with random numbers on this WSL kernel.
PHP Version
Operating System
Ubuntu 20.04.6 LTS on Windows Subsystem for Linux
I just wrote this bug report, then got to this part that says PHP 7.4 is not a supported version for bug reports. The version box should really be at the start of the bug report, so people don't waste their time writing a report only to find out it's for an unsupported version. Sigh. I will try to install PHP 8.x to see if the problem persists, but it's not easy to install on this version of Ubuntu LTS.
Has random_bytes() changed at all since PHP 7.4?
Were critical vulnerabilities found in random_bytes() that related to dash characters "---" repeating?
Edit: Also of note is that I read every bug report on the old system and here on github about "rand", and I see no mention of anything like this.
Description
I was using the following code to produce a 4KiB random binary file:
I noticed that on most runs of the code, there were long sequences of dashes "---------" showing up on most runs of the code. Sometimes there were no sequences of dashes, and this would carry on for numerous runs in a row. But inevitably, the same code would again produce long sequences of dash characters. I am viewing the binary file in Vim for ease of use on the terminal, which changes non-printable characters to . There doesn't appear to be any other repeated sequences apart from dashes in any of the outputs.
First portion of output with repeating dashes:
Another portion with repeating dashes:
Final portion with dashes repeating:
When the dashes problem is occurring, it usually appears more than once in the 4KiB of binary data. On this same output file, there are a total of 3 sets of long dash sequences. Possibly 5, as there are two other instances of "--" appearing above, which may or may not be random.
But I expected this output instead:
I expect fairly random output, with no long sequence of dash characters.
Reading the page on
rand()it says thatmt_rand()should be used for better random numbers, and also says thatrand()is an alias formt_rand(). I then found therandom_bytes()function, which is supposed to produce cryptographically secure byte sequences -- but this function also produces the exact same sequences of dashes!Again, not every time. It happens for a while, then doesn't happen.
This code was being run via Nginx with PHP-FPM, so I decided to try it directly on the command line with php -r '...', and it had the same exact issue of dashes appearing... but then it stopped producing them after a dozen or so runs. After this I wrote a Bash one-liner to run it repeatedly and check is the output file contained a sequence of more than 8 dashes in a row, and it didn't produce them even with thousands of iterations. I don't know what triggers the dashes to appear or not appear, but they keep coming back without changing my code. After testing on the command line, I went back to PHP-FPM where I had switched to using
random_bytes(), and it immediately had the sequence of dashes I posted above (3 sets of dashes in the random bytes). Almost every reload of the page it has the dashes.When the problem occurs, there are most often 2 or 3 long sequences of dashes in a row. For the length of dashes appearing in a row, I have noticed up to ~75 or so, which is definitely impossible to be random.
Has anyone ever seen long sequences of non-random bytes like this before? But only at random, not every time?
Note: I am using Ubuntu 20.04.6 LTS running on Windows Subsystem for Linux. On this platform it runs a patched Linux kernel (5.10.102.1-microsoft-standard-WSL2) that runs directly on top of Windows 10/11. I have not noticed any other issues with random numbers on this WSL kernel.
PHP Version
Operating System
Ubuntu 20.04.6 LTS on Windows Subsystem for Linux
I just wrote this bug report, then got to this part that says PHP 7.4 is not a supported version for bug reports. The version box should really be at the start of the bug report, so people don't waste their time writing a report only to find out it's for an unsupported version. Sigh. I will try to install PHP 8.x to see if the problem persists, but it's not easy to install on this version of Ubuntu LTS.
Has
random_bytes()changed at all since PHP 7.4?Were critical vulnerabilities found in
random_bytes()that related to dash characters "---" repeating?Edit: Also of note is that I read every bug report on the old system and here on github about "rand", and I see no mention of anything like this.