[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 05 May 2009 00:51:24 -0700
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Arjan van de Ven <arjan@...radead.org>, Jake Edge <jake@....net>,
security@...nel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
James Morris <jmorris@...ei.org>,
linux-security-module@...r.kernel.org,
Eric Paris <eparis@...hat.com>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Roland McGrath <roland@...hat.com>, mingo@...hat.com,
Andrew Morton <akpm@...ux-foundation.org>,
Greg KH <greg@...ah.com>, Matt Mackall <mpm@...enic.com>
Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes
Linus Torvalds <torvalds@...ux-foundation.org> writes:
> On Mon, 4 May 2009, Linus Torvalds wrote:
>>
>> Quite frankly, the way "get_random_bytes()" works now (it does a _full_
>> sha thing every time), I think it's insane overkill. But I do have to
>> admit that our current "get_random_int()" is insane _underkill_.
>
> Actually, I don't think "get_random_int()" is underkill per se (it does
> that half md4 transform to try to hide the source of the data), but the
> data itself is simply not modified at all, and the buffers aren't updated
> in between rounds.
>
> In fact "secure_ip_id()" (which it uses) explicityl does that private
> hash[] array so that the mixing that "half_md4_transform()" does do will
> _not_ be saved for the next round - so the next round will always start
> from the same keyptr "secret" state.
>
> I think.
>
> If that wasn't the case, and we actually kept mixing up the end result
> back into the next iteration, I suspect the current "get_random_int()"
> wouldn't be _nearly_ as bad as it is now.
>
> Or maybe I'm missing some part of the transform, and we do mix the values
> back as we do that "get_random_int()". I just don't see it. And if I'm
> right, then I think _that_ is the real weakness of our current
> get_random_int().
Yes, not mixing the result back (which would give us some kind of
pseudo random number generator) is the problem.
secure_ip_id, looks to be a very different kind of thing. A seed
that is reused periodically. Ultimately those values do change.
For the state we are mixing back into I expect we want it to be
per cpu so we don't need locks and avoid cache line ping pongs
when we mix the state back.
I haven't seen Matts patch and couldn't find it when I did a quick
look so I don't have any idea there.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists