lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 15 Dec 2007 15:13:19 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	jreiser@...Wagon.com (John Reiser), akpm@...ux-foundation.org
Cc:	tytso@....edu, mpm@...enic.com, linux-kernel@...r.kernel.org,
	security@...nel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data

John Reiser <jreiser@...wagon.com> wrote:
>
> If speed matters that much, then please recoup 33 cycles on x86
> by using shifts instead of three divides, such as (gcc 4.1.2):
> 
>                add_entropy_words(r, tmp, (bytes + 3) / 4);
> 
> 0x8140689 <xfer_secondary_pool+206>:    lea    0x3(%esi),%eax
> 0x814068c <xfer_secondary_pool+209>:    mov    $0x4,%dl
> 0x814068e <xfer_secondary_pool+211>:    mov    %edx,%edi
> 0x8140690 <xfer_secondary_pool+213>:    cltd
> 0x8140691 <xfer_secondary_pool+214>:    idiv   %edi

There ought to be a warning about this sort of thing.

[CHAR] random: Avoid signed integer division

Joihn Reiser pointed out that we use signed integer divisions
unnecessarily in random.c.  This is bad because the C compiler
is obliged to consider the case of a negative dividend.

This patch changes all the relevant divisions and modulus operations
to use unsigned arithmetic.

Signed-off: Herbert Xu <herbert@...dor.apana.org.au>

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5fee056..6c70bfb 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -694,11 +694,11 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
 	if (r->pull && r->entropy_count < nbytes * 8 &&
 	    r->entropy_count < r->poolinfo->POOLBITS) {
 		/* If we're limited, always leave two wakeup worth's BITS */
-		int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+		int rsvd = r->limit ? 0 : random_read_wakeup_thresh / 4u;
 		int bytes = nbytes;
 
 		/* pull at least as many as BYTES as wakeup BITS */
-		bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+		bytes = max_t(int, bytes, random_read_wakeup_thresh / 8u);
 		/* but never more than the buffer size */
 		bytes = min_t(int, bytes, sizeof(tmp));
 
@@ -707,8 +707,8 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
 			  r->name, bytes * 8, nbytes * 8, r->entropy_count);
 
 		bytes=extract_entropy(r->pull, tmp, bytes,
-				      random_read_wakeup_thresh / 8, rsvd);
-		add_entropy_words(r, tmp, (bytes + 3) / 4);
+				      random_read_wakeup_thresh / 8u, rsvd);
+		add_entropy_words(r, tmp, (bytes + 3) / 4u);
 		credit_entropy_store(r, bytes*8);
 	}
 }
@@ -739,14 +739,14 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
 		  nbytes * 8, r->name);
 
 	/* Can we pull enough? */
-	if (r->entropy_count / 8 < min + reserved) {
+	if (r->entropy_count / 8u < min + reserved) {
 		nbytes = 0;
 	} else {
 		/* If limited, never pull more than available */
-		if (r->limit && nbytes + reserved >= r->entropy_count / 8)
-			nbytes = r->entropy_count/8 - reserved;
+		if (r->limit && nbytes + reserved >= r->entropy_count / 8u)
+			nbytes = r->entropy_count / 8u - reserved;
 
-		if(r->entropy_count / 8 >= nbytes + reserved)
+		if(r->entropy_count / 8u >= nbytes + reserved)
 			r->entropy_count -= nbytes*8;
 		else
 			r->entropy_count = reserved;
@@ -781,7 +781,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
 		/* hash blocks of 16 words = 512 bits */
 		sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
 		/* feed back portion of the resulting hash */
-		add_entropy_words(r, &buf[i % 5], 1);
+		add_entropy_words(r, &buf[i % 5u], 1);
 	}
 
 	/*
@@ -789,7 +789,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
 	 * portion of the pool while mixing, and hash one
 	 * final time.
 	 */
-	__add_entropy_words(r, &buf[i % 5], 1, data);
+	__add_entropy_words(r, &buf[i % 5u], 1, data);
 	sha_transform(buf, (__u8 *)data, buf + 5);
 
 	/*
@@ -1040,7 +1040,7 @@ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 		count -= bytes;
 		p += bytes;
 
-		add_entropy_words(r, buf, (bytes + 3) / 4);
+		add_entropy_words(r, buf, (bytes + 3) / 4u);
 	}
 
 	return 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ