| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jun 2014 09:11:40 -0400 From: Theodore Ts'o <tytso@....edu> To: George Spelvin <linux@...izon.com> Cc: hpa@...ux.intel.com, linux-kernel@...r.kernel.org, mingo@...nel.org, price@....edu Subject: Re: drivers/char/random.c: more ruminations On Tue, Jun 10, 2014 at 11:58:06PM -0400, George Spelvin wrote: > You can forbid underflows, but the code doesn't forbid overflows. > > 1. Assume the entropy count starts at 512 bytes (input pool full) > 2. Random writer mixes in 20 bytes of entropy into the input pool. > 2a. Input pool entropy is, however, capped at 512 bytes. > 3. Random extractor extracts 32 bytes of entropy from the pool. > Succeeds because 32 < 512. Pool is left with 480 bytes of > entropy. > 3a. Random extractor decrements pool entropy estimate to 480 bytes. > This is accurate. > 4. Random writer credits pool with 20 bytes of entropy. > 5. Input pool entropy is now 480 bytes, estimate is 500 bytes. Good point, that's a potential problem, although messing up the accounting betewen 480 and 500 bytes is not nearly as bad as messing up 0 and 20. It's not something where if the changes required massive changes, that I'd necessarily feel the need to backport them to stable. It's a certificational weakness, but it's a not disaster. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists