lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 22 Apr 2018 23:28:52 +0100
From:   Ben Hutchings <ben@...adent.org.uk>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, Theodore Tso <tytso@....edu>
Cc:     stable@...r.kernel.org, Jann Horn <jannh@...gle.com>,
        stable@...nel.org, Salvatore Bonaccorso <carnil@...ian.org>
Subject: Re: [PATCH 4.9 75/95] random: set up the NUMA crng instances after
 the CRNG is fully initialized

On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote:
> 4.9-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Theodore Ts'o <tytso@....edu>
> 
> commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream.
> 
> Until the primary_crng is fully initialized, don't initialize the NUMA
> crng nodes.  Otherwise users of /dev/urandom on NUMA systems before
> the CRNG is fully initialized can get very bad quality randomness.  Of
> course everyone should move to getrandom(2) where this won't be an
> issue, but there's a lot of legacy code out there.  This related to
> CVE-2018-1108.
> 
> Reported-by: Jann Horn <jannh@...gle.com>
> Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
> Cc: stable@...nel.org # 4.8+
> Signed-off-by: Theodore Ts'o <tytso@....edu>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

In 4.9 (and probably older branches too) this leads to a deadlock:

crng_reseed(primary_crng, ...) takes primary_crng.lock
-> numa_rcng_init()
   -> crng_initialize()
      -> get_random_bytes()
         -> extract_crng()
            -> _extract_crng(primary_crng, ...) tries to take primary_crng.lock

I think this can be fixed by backporting commit 4a072c71f49b
"random: silence compiler warnings and fix race" but I'm not sure
whether that depends on other changes.

Ben.

> ---
>  drivers/char/random.c |   46 +++++++++++++++++++++++++++-------------------
>  1 file changed, 27 insertions(+), 19 deletions(-)
> 
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -818,6 +818,32 @@ static int crng_fast_load(const char *cp
>  	return 1;
>  }
>  
> +#ifdef CONFIG_NUMA
> +static void numa_crng_init(void)
> +{
> +	int i;
> +	struct crng_state *crng;
> +	struct crng_state **pool;
> +
> +	pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
> +	for_each_online_node(i) {
> +		crng = kmalloc_node(sizeof(struct crng_state),
> +				    GFP_KERNEL | __GFP_NOFAIL, i);
> +		spin_lock_init(&crng->lock);
> +		crng_initialize(crng);
> +		pool[i] = crng;
> +	}
> +	mb();
> +	if (cmpxchg(&crng_node_pool, NULL, pool)) {
> +		for_each_node(i)
> +			kfree(pool[i]);
> +		kfree(pool);
> +	}
> +}
> +#else
> +static void numa_crng_init(void) {}
> +#endif
> +
>  static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
>  {
>  	unsigned long	flags;
> @@ -847,6 +873,7 @@ static void crng_reseed(struct crng_stat
>  	memzero_explicit(&buf, sizeof(buf));
>  	crng->init_time = jiffies;
>  	if (crng == &primary_crng && crng_init < 2) {
> +		numa_crng_init();
>  		crng_init = 2;
>  		process_random_ready_list();
>  		wake_up_interruptible(&crng_init_wait);
> @@ -1659,28 +1686,9 @@ static void init_std_data(struct entropy
>   */
>  static int rand_initialize(void)
>  {
> -#ifdef CONFIG_NUMA
> -	int i;
> -	struct crng_state *crng;
> -	struct crng_state **pool;
> -#endif
> -
>  	init_std_data(&input_pool);
>  	init_std_data(&blocking_pool);
>  	crng_initialize(&primary_crng);
> -
> -#ifdef CONFIG_NUMA
> -	pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL);
> -	for_each_online_node(i) {
> -		crng = kmalloc_node(sizeof(struct crng_state),
> -				    GFP_KERNEL | __GFP_NOFAIL, i);
> -		spin_lock_init(&crng->lock);
> -		crng_initialize(crng);
> -		pool[i] = crng;
> -	}
> -	mb();
> -	crng_node_pool = pool;
> -#endif
>  	return 0;
>  }
>  early_initcall(rand_initialize);
> 
> 
-- 
Ben Hutchings
It is easier to write an incorrect program
than to understand a correct one.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ