lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250704125233.2653779-4-theil.markus@gmail.com>
Date: Fri,  4 Jul 2025 14:52:32 +0200
From: Markus Theil <theil.markus@...il.com>
To: netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: davem@...emloft.net,
	akpm@...ux-foundation.org,
	Jason@...c4.com,
	Markus Theil <theil.markus@...il.com>
Subject: [PATCH v2 3/4] prandom/random32: add checks against invalid state

Xoshiro256++ will not work in the very unlikely case,
that it is used with an all zeroes state. Add checks against
this in all necessary places.

Signed-off-by: Markus Theil <theil.markus@...il.com>
---
 lib/random32.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/lib/random32.c b/lib/random32.c
index 64fccfd64717..c01b763a7d40 100644
--- a/lib/random32.c
+++ b/lib/random32.c
@@ -26,6 +26,8 @@
 #include <linux/slab.h>
 #include <linux/unaligned.h>
 
+#define IS_ALL_ZERO_STATE(state) (!state->s[0] && !state->s[1] && !state->s[2] && !state->s[3])
+
 /**
  *	prandom_u64_state - seeded pseudo-random number generator.
  *	@state: pointer to state structure holding seeded state.
@@ -40,6 +42,9 @@ u64 prandom_u64_state(struct rnd_state *state)
 	const u64 result = rol64(state->s[0] + state->s[3], 23) + state->s[0];
 	const u64 t = state->s[1] << 17;
 
+	/* defensive check, as this fn returns always zero otherwise */
+	BUG_ON(IS_ALL_ZERO_STATE(state));
+
 	state->s[2] ^= state->s[0];
 	state->s[3] ^= state->s[1];
 	state->s[1] ^= state->s[2];
@@ -108,6 +113,12 @@ EXPORT_SYMBOL(prandom_bytes_state);
  *
  * splitmix64 init as suggested for xoshiro256++
  * See: https://prng.di.unimi.it/splitmix64.c
+ *
+ * Seeding with this routine cannot result in an
+ * all zeroes state due to the addition operation
+ * with the fixed constant 0x9e3779b97f4a7c15!
+ * Nevertheless check early for such a state
+ * as a defensive mechanism.
  */
 void prandom_seed_state(struct rnd_state *state, u64 seed)
 {
@@ -120,6 +131,9 @@ void prandom_seed_state(struct rnd_state *state, u64 seed)
 		z = (z ^ (z >> 27)) * 0x94d049bb133111eb;
 		state->s[i] = z ^ (z >> 31);
 	}
+
+	/* shall never happen */
+	BUG_ON(IS_ALL_ZERO_STATE(state));
 }
 EXPORT_SYMBOL(prandom_seed_state);
 
@@ -133,7 +147,16 @@ void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state)
 
 	for_each_possible_cpu(i) {
 		struct rnd_state *state = per_cpu_ptr(pcpu_state, i);
-		get_random_bytes(&state->s, sizeof(state->s));
+		memset(state, 0, sizeof(struct rnd_state));
+		/*
+		 * Internal state MUST not be all zeroes. Check and repeat if necessary.
+		 *
+		 * Highly unlikely, that we ever need more than one round. Just defensive
+		 * coding, as this could happen in theory.
+		 */
+		while (IS_ALL_ZERO_STATE(state)) {
+			get_random_bytes(&state->s, sizeof(state->s));
+		}
 	}
 }
 EXPORT_SYMBOL(prandom_seed_full_state);
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ