Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6044851iog; Thu, 23 Jun 2022 10:10:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sOIhDwyB7JeGDxtpDJsLW2A8HbH5/tpL/+jppvy3uPnWNUqpsAmkwVsH2l0s5IcfJw0e0f X-Received: by 2002:a17:906:530b:b0:718:c256:3933 with SMTP id h11-20020a170906530b00b00718c2563933mr9343857ejo.142.1656004219518; Thu, 23 Jun 2022 10:10:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656004219; cv=none; d=google.com; s=arc-20160816; b=ggk+gyVPaMpH7PFfgtbQv8ldjaBihVb5S+uMwKSv28IVITvmHe/tOCF3bgBbyIXYOo tPrqGpjvIOxTlGJO3AGgrj9ZPJKbMFbFM4ov7sYpw6/4siIbSCGCyOX1bR136vEhrOCW 8KcVpjI2iZH4f5eAZfu/fG1zr9WS97xTWShB9sPH5yHKob/2Awix7Irgf7KxulXR0rPB EAjG4lLTmONkzC20PQ2QBVDwkGXOZ67O0qnrjcEnGk4IIjDzH69ljIpaSFyjp0c0eK0q Ff/4QBWEmo9b/3eqg4uY9c9L8vNcnDbk31wTzCAEUKQOmYXaxMXwCd/RjF9wOKBK2+2p cdHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CAWnirFnGQX+NQSsR9Qrpep9k+XMdXXUHQTHfAlL43k=; b=bdHJFHMy339ksT3yWR2tY0bDLEdjsOmmB5wS91lAVF4YycMCIt0qf1XZn01NXpTNlF NAEJ4UjXUmLCH83bG2q5F5gMsON9o2egfTGesPclQROeuAML8BzCCRevY1Zh5tx/Zm1c 4U9bUPdoBZMOsMRqNSkfZ3HHBTE1ydEqG+/TuySiR2DY8LoPyuaehMpNyzQn8tBb9O/h V7yHD5NziEeUACy/Jc1MBFfktJ1IPsr7Fdw0Amd0ZSVc1VKRBqgyBQvvYERbZ3RVPng0 F7zw4dgSjgL+R+ldwFosqRj2wCqwdHJqtdblLvwiulHJTg+miPra2kIAuPgaiDadW/bw q4xQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1JOKxRa4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p13-20020a17090635cd00b0072629f6f949si1575866ejb.802.2022.06.23.10.09.53; Thu, 23 Jun 2022 10:10:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1JOKxRa4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233076AbiFWQzS (ORCPT + 99 others); Thu, 23 Jun 2022 12:55:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233809AbiFWQvl (ORCPT ); Thu, 23 Jun 2022 12:51:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59F7150B16; Thu, 23 Jun 2022 09:49:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 508DA61FC6; Thu, 23 Jun 2022 16:49:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23624C3411B; Thu, 23 Jun 2022 16:49:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1656002984; bh=Z4NgkESxWxdWTbCmzVLX7Yj+ImAw80bZlglCyZrpjkE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1JOKxRa4nNKrCKw9awPRfaQ0Tg/inTROjsh2CJs1hos0tRKfQ5Skx+8OUxhLlK9GB cPqui3csrZz7ZKMSgyzUhWKX25hlNW3KG+BbBgj7/pmR2JVhvSYCcMiN19pR8F+dix YxsCjIkxJ2m72ZwQxkN5t8OhnQ8yCwZPxyqSG5Oo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , "Jason A. Donenfeld" Subject: [PATCH 4.9 092/264] random: dont reset crng_init_cnt on urandom_read() Date: Thu, 23 Jun 2022 18:41:25 +0200 Message-Id: <20220623164346.675535475@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220623164344.053938039@linuxfoundation.org> References: <20220623164344.053938039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit 6c8e11e08a5b74bb8a5cdd5cbc1e5143df0fba72 upstream. At the moment, urandom_read() (used for /dev/urandom) resets crng_init_cnt to zero when it is called at crng_init<2. This is inconsistent: We do it for /dev/urandom reads, but not for the equivalent getrandom(GRND_INSECURE). (And worse, as Jason pointed out, we're only doing this as long as maxwarn>0.) crng_init_cnt is only read in crng_fast_load(); it is relevant at crng_init==0 for determining when to switch to crng_init==1 (and where in the RNG state array to write). As far as I understand: - crng_init==0 means "we have nothing, we might just be returning the same exact numbers on every boot on every machine, we don't even have non-cryptographic randomness; we should shove every bit of entropy we can get into the RNG immediately" - crng_init==1 means "well we have something, it might not be cryptographic, but at least we're not gonna return the same data every time or whatever, it's probably good enough for TCP and ASLR and stuff; we now have time to build up actual cryptographic entropy in the input pool" - crng_init==2 means "this is supposed to be cryptographically secure now, but we'll keep adding more entropy just to be sure". The current code means that if someone is pulling data from /dev/urandom fast enough at crng_init==0, we'll keep resetting crng_init_cnt, and we'll never make forward progress to crng_init==1. It seems to be intended to prevent an attacker from bruteforcing the contents of small individual RNG inputs on the way from crng_init==0 to crng_init==1, but that's misguided; crng_init==1 isn't supposed to provide proper cryptographic security anyway, RNG users who care about getting secure RNG output have to wait until crng_init==2. This code was inconsistent, and it probably made things worse - just get rid of it. Signed-off-by: Jann Horn Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 4 ---- 1 file changed, 4 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1821,7 +1821,6 @@ urandom_read_nowarn(struct file *file, c static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) { - unsigned long flags; static int maxwarn = 10; if (!crng_ready() && maxwarn > 0) { @@ -1829,9 +1828,6 @@ urandom_read(struct file *file, char __u if (__ratelimit(&urandom_warning)) pr_notice("%s: uninitialized urandom read (%zd bytes read)\n", current->comm, nbytes); - spin_lock_irqsave(&primary_crng.lock, flags); - crng_init_cnt = 0; - spin_unlock_irqrestore(&primary_crng.lock, flags); } return urandom_read_nowarn(file, buf, nbytes, ppos);