Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2438343ioo; Sat, 28 May 2022 13:42:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdWBCoFQOmyevnk08sQZRiZmSX1lY4Oc1/Eym7R4mjuLSdO3nmGACZR2p3gxX9DB5Qtcnn X-Received: by 2002:a17:90b:1b05:b0:1e2:a053:2fad with SMTP id nu5-20020a17090b1b0500b001e2a0532fadmr4644532pjb.209.1653770562309; Sat, 28 May 2022 13:42:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653770562; cv=none; d=google.com; s=arc-20160816; b=0REyquGgSB6G7oTtrUamB4YTtLl0CpGc6uOSSXKOdCVBFezU3jFhLfNgKAkE76fts5 VfS0hSogeGFd62HFwnKHv6jlyHjSYnt+fcz79JErlju+H+rDHw2O+6L3/aLVI15tnnlt qQ0Xx1DKjB7Wr4smLXFttDCVFTdj22EP4jlUm8UOZygTB8FDljp4D6QS6lqnNBwdRyg0 qTM22mJXMiv4+KUKvF2I58oHVZHJQPralA8jKVyjhnC6d9JXbEWaZrCSK4gc+dVXolTX dmeQW1rE68AHOIT+J7WFxkf4KvpHDPxnZliaS/4X2fqUoLfQziIKDl3bkWKK/b+aln/g yFkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=odXz6CKD68RJY/lCsybrndbZEZCu3uRxVkouQn7O04U=; b=N1lVO1rNsRJTK2WiBZy7vY/N5DXGXQkIe4vnOMxDxwOpokqOBSAIgZkhMQRsHqTSNF buXqXKaIi4wmQg8Ll5diI/3t8Zce518nad7vSeIBWVp8ngFvFmDMY+Sl3nzx2AOUncfH Gw5YpBjvIUxbOP9F8VrrneKWsJl1yeKimiphuLgbGQj8lnnviqryVIA56dt+iywWw0Zs IhR6+HDAAGvJp9inUITc/6RWlo/VhLA9nPjCPpdVwdyjiO6rXo/gdd+3uxIx1EGV9ddA z+Ky5RUQi2QbzRueE+6768sh7oTHmNZUWh/rGfGSfWWBUT4ri4ArAI5cTexwvakq99yA Uj/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JJ1/nquO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id l64-20020a638843000000b003c19e2b38f8si11147822pgd.421.2022.05.28.13.42.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 13:42:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JJ1/nquO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1EC2A1BF089; Sat, 28 May 2022 12:45:39 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353393AbiE0MFz (ORCPT + 99 others); Fri, 27 May 2022 08:05:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353311AbiE0L4X (ORCPT ); Fri, 27 May 2022 07:56:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A163CA5; Fri, 27 May 2022 04:51:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3CC5361D56; Fri, 27 May 2022 11:51:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32F17C385A9; Fri, 27 May 2022 11:51:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1653652264; bh=CL218ElMiLie/Oak1szbaMjRkRMppysThTv7HyrUkvU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JJ1/nquOMiJAlC+YZGabFmpPZaG0MfYl3bg2NeMJzn24kKKlmE683oZXmFOA8/Lst lgE3uNytrJqk+C6CYXZKtmkfDEN+paMKKNjEjl3NILwdQouXnqDW9E0z4W64G9TWcQ ++jdTKZhFMxCvigZJ1Rpk00NmYRITx7FNIRE5R3U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Jann Horn , "Jason A. Donenfeld" Subject: [PATCH 5.10 114/163] random: do not allow user to keep crng key around on stack Date: Fri, 27 May 2022 10:49:54 +0200 Message-Id: <20220527084843.975198387@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220527084828.156494029@linuxfoundation.org> References: <20220527084828.156494029@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DATE_IN_PAST_03_06, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" commit aba120cc101788544aa3e2c30c8da88513892350 upstream. The fast key erasure RNG design relies on the key that's used to be used and then discarded. We do this, making judicious use of memzero_explicit(). However, reads to /dev/urandom and calls to getrandom() involve a copy_to_user(), and userspace can use FUSE or userfaultfd, or make a massive call, dynamically remap memory addresses as it goes, and set the process priority to idle, in order to keep a kernel stack alive indefinitely. By probing /proc/sys/kernel/random/entropy_avail to learn when the crng key is refreshed, a malicious userspace could mount this attack every 5 minutes thereafter, breaking the crng's forward secrecy. In order to fix this, we just overwrite the stack's key with the first 32 bytes of the "free" fast key erasure output. If we're returning <= 32 bytes to the user, then we can still return those bytes directly, so that short reads don't become slower. And for long reads, the difference is hopefully lost in the amortization, so it doesn't change much, with that amortization helping variously for medium reads. We don't need to do this for get_random_bytes() and the various kernel-space callers, and later, if we ever switch to always batching, this won't be necessary either, so there's no need to change the API of these functions. Cc: Theodore Ts'o Reviewed-by: Jann Horn Fixes: c92e040d575a ("random: add backtracking protection to the CRNG") Fixes: 186873c549df ("random: use simpler fast key erasure flow on per-cpu keys") Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -534,19 +534,29 @@ static ssize_t get_random_bytes_user(voi if (!nbytes) return 0; - len = min_t(size_t, 32, nbytes); - crng_make_state(chacha_state, output, len); - - if (copy_to_user(buf, output, len)) - return -EFAULT; - nbytes -= len; - buf += len; - ret += len; + /* + * Immediately overwrite the ChaCha key at index 4 with random + * bytes, in case userspace causes copy_to_user() below to sleep + * forever, so that we still retain forward secrecy in that case. + */ + crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); + /* + * However, if we're doing a read of len <= 32, we don't need to + * use chacha_state after, so we can simply return those bytes to + * the user directly. + */ + if (nbytes <= CHACHA_KEY_SIZE) { + ret = copy_to_user(buf, &chacha_state[4], nbytes) ? -EFAULT : nbytes; + goto out_zero_chacha; + } - while (nbytes) { + do { if (large_request && need_resched()) { - if (signal_pending(current)) + if (signal_pending(current)) { + if (!ret) + ret = -ERESTARTSYS; break; + } schedule(); } @@ -563,10 +573,11 @@ static ssize_t get_random_bytes_user(voi nbytes -= len; buf += len; ret += len; - } + } while (nbytes); - memzero_explicit(chacha_state, sizeof(chacha_state)); memzero_explicit(output, sizeof(output)); +out_zero_chacha: + memzero_explicit(chacha_state, sizeof(chacha_state)); return ret; }