| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Aug 2016 23:17:23 +0000 From: Jason Cooper <jason@...edaemon.net> To: Kees Cook <keescook@...omium.org> Cc: "Roberts, William C" <william.c.roberts@...el.com>, Yann Droneaud <ydroneaud@...eya.com>, Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Russell King - ARM Linux <linux@....linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Theodore Ts'o <tytso@....edu>, Arnd Bergmann <arnd@...db.de>, Greg KH <gregkh@...uxfoundation.org>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>, Ralf Baechle <ralf@...ux-mips.org>, "benh@...nel.crashing.org" <benh@...nel.crashing.org>, Paul Mackerras <paulus@...ba.org>, Michael Ellerman <mpe@...erman.id.au>, "David S. Miller" <davem@...emloft.net>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Nick Kralevich <nnk@...gle.com>, Jeffrey Vander Stoep <jeffv@...gle.com>, Daniel Cashman <dcashman@...roid.com> Subject: Re: [PATCH v2 1/7] random: Simplify API for random address requests Hi Kees, On Mon, Aug 01, 2016 at 12:47:59PM -0700, Kees Cook wrote: > On Sun, Jul 31, 2016 at 1:56 PM, Jason Cooper <jason@...edaemon.net> wrote: > > On Sun, Jul 31, 2016 at 09:46:53AM -0700, Kees Cook wrote: > >> On Sat, Jul 30, 2016 at 8:42 AM, Jason Cooper <jason@...edaemon.net> wrote: > >> > To date, all callers of randomize_range() have set the length to 0, and > >> > check for a zero return value. For the current callers, the only way > >> > to get zero returned is if end <= start. Since they are all adding a > >> > constant to the start address, this is unnecessary. > >> > > >> > We can remove a bunch of needless checks by simplifying the API to do > >> > just what everyone wants, return an address between [start, start + > >> > range). > >> > > >> > While we're here, s/get_random_int/get_random_long/. No current call > >> > site is adversely affected by get_random_int(), since all current range > >> > requests are < UINT_MAX. However, we should match caller expectations > >> > to avoid coming up short (ha!) in the future. > >> > > >> > All current callers to randomize_range() chose to use the start address > >> > if randomize_range() failed. Therefore, we simplify things by just > >> > returning the start address on error. > >> > > >> > randomize_range() will be removed once all callers have been converted > >> > over to randomize_addr(). > >> > > >> > Signed-off-by: Jason Cooper <jason@...edaemon.net> > >> > --- > >> > Changes from v1: > >> > - Explicitly mention page_aligned start assumption (Yann Droneaud) > >> > - pick random pages vice random addresses (Yann Droneaud) > >> > - catch range=0 last > >> > > >> > drivers/char/random.c | 28 ++++++++++++++++++++++++++++ > >> > include/linux/random.h | 1 + > >> > 2 files changed, 29 insertions(+) > >> > > >> > diff --git a/drivers/char/random.c b/drivers/char/random.c > >> > index 0158d3bff7e5..3bedf69546d6 100644 > >> > --- a/drivers/char/random.c > >> > +++ b/drivers/char/random.c > >> > @@ -1840,6 +1840,34 @@ randomize_range(unsigned long start, unsigned long end, unsigned long len) > >> > return PAGE_ALIGN(get_random_int() % range + start); > >> > } > >> > > >> > +/** > >> > + * randomize_addr - Generate a random, page aligned address > >> > + * @start: The smallest acceptable address the caller will take. > >> > + * @range: The size of the area, starting at @start, within which the > >> > + * random address must fall. > >> > + * > >> > + * If @start + @range would overflow, @range is capped. > >> > + * > >> > + * NOTE: Historical use of randomize_range, which this replaces, presumed that > >> > + * @start was already page aligned. This assumption still holds. > >> > + * > >> > + * Return: A page aligned address within [start, start + range). On error, > >> > + * @start is returned. > >> > + */ > >> > +unsigned long > >> > +randomize_addr(unsigned long start, unsigned long range) > >> > >> Since we're changing other things about this, let's try to document > >> its behavior in its name too and call this "randomize_page" instead. > > > > Ack. Definitely more accurate. > > > >> If it requires a page-aligned value, we should probably also BUG_ON > >> it, or adjust the start too. > > > > merf. So, this whole series started from a suggested cleanup by William > > to s/get_random_int/get_random_long/. > > > > The current users have all been stable the way they are for a long time. > > Like pre-git long. So, if this is just a cleanup for those callers, I > > don't think we need to do more than we already are. > > > > However, if the intent is for this function to see wider use, then by > > all means, we need to handle start != PAGE_ALIGN(start). > > > > Do you have any new call sites in mind? > > I have no new call sites in mind, but it seems safe to add a BUG_ON to > verify we don't gain callers that don't follow the correct > expectations. (Or maybe WARN and return start.) No, I think BUG_ON is appropriate. afaict, the only time this will be encountered is during the development process. thx, Jason.
Powered by blists - more mailing lists