lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200329165204.GC4675@SDF.ORG>
Date:   Sun, 29 Mar 2020 16:52:04 +0000
From:   George Spelvin <lkml@....ORG>
To:     Bernard Metzler <BMT@...ich.ibm.com>
Cc:     linux-kernel@...r.kernel.org, Doug Ledford <dledford@...hat.com>,
        Jason Gunthorpe <jgg@...lanox.com>, linux-rdma@...r.kernel.org,
        Faisal Latif <faisal.latif@...el.com>,
        Shiraz Saleem <shiraz.saleem@...el.com>,
        Bart Van Assche <bvanassche@....org>, lkml@....org
Subject: Re: [RFC PATCH v1 42/50] drivers/ininiband: Use get_random_u32()

On Sun, Mar 29, 2020 at 03:01:36PM +0000, Bernard Metzler wrote:
> -----"George Spelvin" <lkml@....org> wrote: -----
>> Subject: [EXTERNAL] [RFC PATCH v1 42/50] drivers/ininiband: Use 
get_random_u32()
>>
>> There's no need to get_random_bytes() into a temporary buffer.
>>
>> This is not a no-brainer change; get_random_u32() has slightly weaker
>> security guarantees, but code like this is the classic example of when
>> it's appropriate: the random value is stored in the kernel for as long
>> as it's valuable.
>>
>> TODO: Could any of the call sites be further weakened to prandom_u32()?
>> If we're randomizing to avoid collisions with a *cooperating* (as opposed
>> to malicious) partner, we don't need cryptographic strength.
>>
>> Signed-off-by: George Spelvin <lkml@....org>
>> Cc: Doug Ledford <dledford@...hat.com>
>> Cc: Jason Gunthorpe <jgg@...lanox.com>
>> Cc: linux-rdma@...r.kernel.org
>> Cc: Faisal Latif <faisal.latif@...el.com>
>> Cc: Shiraz Saleem <shiraz.saleem@...el.com>
>> Cc: Bart Van Assche <bvanassche@....org>
>> Cc: Bernard Metzler <bmt@...ich.ibm.com>

>> diff --git a/drivers/infiniband/sw/siw/siw_verbs.c
>> b/drivers/infiniband/sw/siw/siw_verbs.c
>> index 5fd6d6499b3d7..42f3ced4ca7c7 100644
>> --- a/drivers/infiniband/sw/siw/siw_verbs.c
>> +++ b/drivers/infiniband/sw/siw/siw_verbs.c
>> @@ -1139,7 +1139,7 @@ int siw_create_cq(struct ib_cq *base_cq, const
>> struct ib_cq_init_attr *attr,
>>  		rv = -ENOMEM;
>>  		goto err_out;
>>  	}
>> -	get_random_bytes(&cq->id, 4);
>> +	cq->id = get_random_u32();
>>  	siw_dbg(base_cq->device, "new CQ [%u]\n", cq->id);
>>  
>>  	spin_lock_init(&cq->lock);

> Speaking for the siw driver only, these two changes are looking
> good to me. What is needed is a pseudo-random number, not
> to easy to guess for the application. get_random_u32() provides that.
> 
> Thanks!
> 
> Reviewed-by: Bernard Metzler <bmt@...ich.ibm.com>

Just so you know, get_random_u32() is still crypto-strength: it is
unguessable even to a resourceful attacker with access to large amounts
of other get_random_u32() output.

prandom_u32() is much cheaper, but although well seeded and distributed 
(so equally resistant to accidental collisions), *is* guessable if someone 
really wants to work at it.

Many intra-machine networks (like infiniband) are specifically not 
designed to be robust in the face of malicious actors on the network.
A random transaction ID is sent in the clear, and a malicious actor 
wanting to interfere could simply copy it.

In such cases, there's no need for crypto-grade numbers, because the
network already assumes that nobody's actively trying to create
collisions.

You seem to be saying that the siw driver could use prandom_u32().

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ