lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080828225924.GD6432@merfinllc.com>
Date:	Thu, 28 Aug 2008 15:59:24 -0700
From:	Aaron Straus <aaron@...finllc.com>
To:	mpm@...enic.com
Cc:	LKML <linux-kernel@...r.kernel.org>
Subject: Re: drivers/char/random.c line 728 BUG

Hi,

On Aug 26 03:59 PM, Aaron Straus wrote:
> kernel BUG at drivers/char/random.c:728!

OK so that's (outside spinlock):

   BUG_ON(r->entropy_count > r->poolinfo->POOLBITS); 

in credit_entropy_bits we do (inside spinlock):

	r->entropy_count += nbits;
	if (r->entropy_count < 0) {
		DEBUG_ENT("negative entropy/overflow\n");
		r->entropy_count = 0;
	} else if (r->entropy_count > r->poolinfo->POOLBITS)
		r->entropy_count = r->poolinfo->POOLBITS;

I wonder if we got unlucky and did the:

  r->entropy_count += nbits

 - overflowed the entropy_count THEN
 - another thread hits the BUG before this thread reaches

   r->entropy_count = r->poolinfo->POOLBITS;

--

I notice before this commit:

commit adc782dae6c4c0f6fb679a48a544cfbcd79ae3dc
Author: Matt Mackall <mpm@...enic.com>
Date:   Tue Apr 29 01:03:07 2008 -0700

    random: simplify and rename credit_entropy_store

The credit_entropy_store function looks like this:

	spin_lock_irqsave(&r->lock, flags);

	if (r->entropy_count + nbits < 0) {
		DEBUG_ENT("negative entropy/overflow (%d+%d)\n",
			  r->entropy_count, nbits);
		r->entropy_count = 0;
	} else if (r->entropy_count + nbits > r->poolinfo->POOLBITS) {
		r->entropy_count = r->poolinfo->POOLBITS;
	} else {
		r->entropy_count += nbits;
		if (nbits)
			DEBUG_ENT("added %d entropy credits to %s\n",
				  nbits, r->name);
	}


Notice the old version is careful not to overflow r->entropy_count at
any point (even within the spinlock).  So perhaps that's why we didn't
hit this BUG() in the past?

Thanks!

					=a=


-- 
===================
Aaron Straus
aaron@...finllc.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ