Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6144550iog; Thu, 23 Jun 2022 12:16:05 -0700 (PDT) X-Google-Smtp-Source: AGRyM1v1mqq6J3GKI3f4Y3iljI5cEP0T4Nbnf12WmmNCef1IC9TQol0SwdI1PCWAcg98bJlnbxk7 X-Received: by 2002:a17:903:2494:b0:168:fee7:6daa with SMTP id p20-20020a170903249400b00168fee76daamr40098754plw.39.1656011764848; Thu, 23 Jun 2022 12:16:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656011764; cv=none; d=google.com; s=arc-20160816; b=WHdl9h3ylYt45ZrO7qtbdMZpT1vwdnuvXxEzsR5iSwT+soLGuwpiaSHbmdVmQ2m41a rrpFb51PzNRl+JtjgSvUPDNtmq9oW68ESha0uBo5ZDkDEGYiVS/67zFH+lNGYdYra/Qe 3FdyTWqJ4mlRo/aYc0V2aI/q2scEX3XqFIqDBYT5JsE/Dpyfe1QAtg66pQqTAR9Ams8K Nk9ZcQ1c00RLL/SGfw6OoC5dG9ttMRIKrjnmj7hgineK8x3T/uGnFsWSY7K4DwMoFbPz BojsB4Hvkk6lp/LaF9ajkzDzm72r5bTa8rgxaFUIXPca9mZHrWaqYM5cDb+19SUPWg5h F1HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pixGAYMMqGy12w1Rv/RAQacx68XnaOpNOISwmxzUj90=; b=rPA0scsBsnhaIhJcIrd0LcnPg/AdlJiJOm9d6wheNRmCcO6BZo04BwPalgeATWtWOY 6uk26Mj+PBst6c1Y+J8NwvjKpiwoRl0WvV+F4E0YTahY/6Kq3BBTaFydQ7vd6vCb0hZR C728bRtP4fUTNt1JSrIPyi4UhlQSFrOHtQXEaKsc5M6XdjXo6n5nEhUGhD5Qxec76p4d //6jnUOpjLT6kaLDAJrt3qg2Fm8BSbYNANJdpedHD0sYZxpTxWIGGGTXWrnmLKejE12x t807MtQaHN2I9XjeYHo3o6TVJr7CC4Q83vk/FK5ScvgsdehfJEiTSeNG0UaV4kcJDwyA wN6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ao375Efe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f5-20020a625105000000b0052527705946si37432pfb.47.2022.06.23.12.15.52; Thu, 23 Jun 2022 12:16:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ao375Efe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236488AbiFWSNg (ORCPT + 99 others); Thu, 23 Jun 2022 14:13:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236531AbiFWSMZ (ORCPT ); Thu, 23 Jun 2022 14:12:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46AC6BEAB3; Thu, 23 Jun 2022 10:20:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CA80C61DE5; Thu, 23 Jun 2022 17:20:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C2B6C3411B; Thu, 23 Jun 2022 17:20:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1656004843; bh=ZE8Oti+fu3e1FxWiLUTqce4e2vXw7qouPFIc2w4kBJs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ao375EfeJ9Si8R+vqkywMdT+40RwZtObRY2gs7Ivvvk2ICFbtdu813GQEL9enMa+w RNKPy90kCCGAN//s54CiHYSigeAyTymYQNgXdf4GIOr3K2OeztX35iV8ula99YTKWL umwEDYLKz48xfA3IVLMUTKmoo9Nlc0Fe5iBnnw7k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Jann Horn , "Jason A. Donenfeld" Subject: [PATCH 4.19 128/234] random: do not allow user to keep crng key around on stack Date: Thu, 23 Jun 2022 18:43:15 +0200 Message-Id: <20220623164346.681483476@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220623164343.042598055@linuxfoundation.org> References: <20220623164343.042598055@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" commit aba120cc101788544aa3e2c30c8da88513892350 upstream. The fast key erasure RNG design relies on the key that's used to be used and then discarded. We do this, making judicious use of memzero_explicit(). However, reads to /dev/urandom and calls to getrandom() involve a copy_to_user(), and userspace can use FUSE or userfaultfd, or make a massive call, dynamically remap memory addresses as it goes, and set the process priority to idle, in order to keep a kernel stack alive indefinitely. By probing /proc/sys/kernel/random/entropy_avail to learn when the crng key is refreshed, a malicious userspace could mount this attack every 5 minutes thereafter, breaking the crng's forward secrecy. In order to fix this, we just overwrite the stack's key with the first 32 bytes of the "free" fast key erasure output. If we're returning <= 32 bytes to the user, then we can still return those bytes directly, so that short reads don't become slower. And for long reads, the difference is hopefully lost in the amortization, so it doesn't change much, with that amortization helping variously for medium reads. We don't need to do this for get_random_bytes() and the various kernel-space callers, and later, if we ever switch to always batching, this won't be necessary either, so there's no need to change the API of these functions. Cc: Theodore Ts'o Reviewed-by: Jann Horn Fixes: c92e040d575a ("random: add backtracking protection to the CRNG") Fixes: 186873c549df ("random: use simpler fast key erasure flow on per-cpu keys") Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -532,19 +532,29 @@ static ssize_t get_random_bytes_user(voi if (!nbytes) return 0; - len = min_t(size_t, 32, nbytes); - crng_make_state(chacha_state, output, len); - - if (copy_to_user(buf, output, len)) - return -EFAULT; - nbytes -= len; - buf += len; - ret += len; + /* + * Immediately overwrite the ChaCha key at index 4 with random + * bytes, in case userspace causes copy_to_user() below to sleep + * forever, so that we still retain forward secrecy in that case. + */ + crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE); + /* + * However, if we're doing a read of len <= 32, we don't need to + * use chacha_state after, so we can simply return those bytes to + * the user directly. + */ + if (nbytes <= CHACHA_KEY_SIZE) { + ret = copy_to_user(buf, &chacha_state[4], nbytes) ? -EFAULT : nbytes; + goto out_zero_chacha; + } - while (nbytes) { + do { if (large_request && need_resched()) { - if (signal_pending(current)) + if (signal_pending(current)) { + if (!ret) + ret = -ERESTARTSYS; break; + } schedule(); } @@ -561,10 +571,11 @@ static ssize_t get_random_bytes_user(voi nbytes -= len; buf += len; ret += len; - } + } while (nbytes); - memzero_explicit(chacha_state, sizeof(chacha_state)); memzero_explicit(output, sizeof(output)); +out_zero_chacha: + memzero_explicit(chacha_state, sizeof(chacha_state)); return ret; }