| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jul 2014 22:29:03 +0100
From: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
To: ebiederm@...ssion.com (Eric W. Biederman)
Cc: Andy Lutomirski <luto@...capital.net>,
Paolo Bonzini <pbonzini@...hat.com>,
linux-crypto@...r.kernel.org,
Henrique de Moraes Holschuh <hmh@....eng.br>,
"linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
James Morris <james.l.morris@...cle.com>,
LSM List <linux-security-module@...r.kernel.org>,
Al Viro <viro@...iv.linux.org.uk>,
Linux API <linux-api@...r.kernel.org>,
Julien Tinnes <jln@...gle.com>,
"Theodore Ts'o" <tytso@....edu>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Paul Moore <paul@...l-moore.com>,
David Drysdale <drysdale@...gle.com>,
Kees Cook <keescook@...omium.org>,
Meredydd Luff <meredydd@...atehouse.org>,
Christoph Hellwig <hch@...radead.org>
Subject: Re: General flags to turn things off (getrandom, pid lookup, etc)
On Wed, 30 Jul 2014 11:41:41 -0700
ebiederm@...ssion.com (Eric W. Biederman) wrote:
> One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk> writes:
>
> >> Andy you seem to be arguing here for two system calls.
> >> get_urandom() and get_random().
> >>
> >> Where get_urandom only blocks if there is not enough starting entropy,
> >> and get_random(GRND_RANDOM) blocks if there is currently not enough
> >> entropy.
> >>
> >> That would allow -ENOSYS to be the right return value and it would
> >> simply things for everyone.
> >
> > So you replace the "no file handle" special case with the "unsupported or
> > disabled syscall" special case, which is even harder to test.
> >
> > Interfaces have failure modes. People who can't deal with that shouldn't
> > be writing code that does anything important in languages which don't
> > handle it for them.
>
> Perhaps I misread the earlier conversation but it what I have read of
> this discussion people want to disable some of get_random() modes with
> seccomp. Today get_random does not have any failure codes define except
> -ENOSYS.
>
> get_random(0) succeeding and get_random(GRND_RANDOM) returning -ENOSYS
> has every chance of causing applications to legitimately assume the
> get_random system call is not available in any mode.
Or more likely it'll be used like this
get_random(foo); /* always works */
Now the existing failure mode is is
open(...)
/* forget the check */
read()
/* forget the check */
and triggered by evil local attacks on file handles. The "improved"
behaviour is unchecked -ENOSYS returns which are likely to occur
systemically when users run stuff on old kernels, in vm's with it off etc.
So you've swapped the odd evil user attack on a single target for the
likelyhood of mass generation of flawed keys with no error reporting.
In fact you could do a better job of the whole mess in libc rather than
the kernel, because in libc you'd write it like this
if (open(.. ) < 0)
kill(getpid(), 9);
if (read(...) < expected)
kill(getpid(), 9);
close(fd);
and
a) on an older library you'd get a good failure (unable to execute the
binary)
b) on a newer system you'd get "do or die" behaviour and can improve its
robustness as desired
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists