| Message ID | 1914037.Wy7EiDNG7B@tachyon.chronox.de (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Herbert Xu |
| Headers | show |
On 11/12/2014 08:05 AM, Stephan Mueller wrote: > This patch adds the random number generator support for AF_ALG. > > A random number generator's purpose is to generate data without > requiring the caller to provide any data. Therefore, the AF_ALG > interface handler for RNGs only implements a callback handler for > recvmsg. ... > +static int rng_recvmsg(struct kiocb *unused, struct socket *sock, > + struct msghdr *msg, size_t len, int flags) > +{ > + struct sock *sk = sock->sk; > + struct alg_sock *ask = alg_sk(sk); > + struct rng_ctx *ctx = ask->private; > + int err = -EFAULT; > + > + if (0 == len) if (len == 0) ... [And also other places.] We don't use Yoda condition style in the kernel. > + return 0; > + if (MAXSIZE < len) > + len = MAXSIZE; > + > + lock_sock(sk); > + len = crypto_rng_get_bytes(ctx->drng, ctx->result, len); > + if (0 > len) > + goto unlock; > + > + err = memcpy_toiovec(msg->msg_iov, ctx->result, len); > + memset(ctx->result, 0, err); > + This looks buggy. If copy_to_user() fails from within memcpy_toiovec(), we call memset() with a negative return value which is interpreted as size_t and thus causes a buffer overflow writing beyond ctx->result, no? If it succeeds, we call memset(ctx->result, 0, 0) ..... > +unlock: > + release_sock(sk); > + > + return err ? err : len; > +} > + > +static struct proto_ops algif_rng_ops = { > + .family = PF_ALG, > + > + .connect = sock_no_connect, > + .socketpair = sock_no_socketpair, > + .getname = sock_no_getname, > + .ioctl = sock_no_ioctl, > + .listen = sock_no_listen, > + .shutdown = sock_no_shutdown, > + .getsockopt = sock_no_getsockopt, > + .mmap = sock_no_mmap, > + .bind = sock_no_bind, > + .accept = sock_no_accept, > + .setsockopt = sock_no_setsockopt, > + .poll = sock_no_poll, > + .sendmsg = sock_no_sendmsg, > + .sendpage = sock_no_sendpage, > + > + .release = af_alg_release, > + .recvmsg = rng_recvmsg, > +}; > + > +static void *rng_bind(const char *name, u32 type, u32 mask) > +{ > + return crypto_alloc_rng(name, type, mask); > +} > + > +static void rng_release(void *private) > +{ > + crypto_free_rng(private); > +} > + > +static void rng_sock_destruct(struct sock *sk) > +{ > + struct alg_sock *ask = alg_sk(sk); > + struct rng_ctx *ctx = ask->private; > + > + memset(ctx->result, 0, MAXSIZE); memset(ctx->result, 0, sizeof(ctx->result)); > + sock_kfree_s(sk, ctx, ctx->len); > + af_alg_release_parent(sk); > +} > + > +static int rng_accept_parent(void *private, struct sock *sk) > +{ > + struct rng_ctx *ctx; > + struct alg_sock *ask = alg_sk(sk); > + unsigned int len = sizeof(*ctx); > + int seedsize = crypto_rng_seedsize(private); > + int ret = -ENOMEM; > + > + ctx = sock_kmalloc(sk, len, GFP_KERNEL); > + if (!ctx) > + return -ENOMEM; > + memset(ctx->result, 0, MAXSIZE); Ditto... > + ctx->len = len; > + > + if (seedsize) { > + u8 *buf = kmalloc(seedsize, GFP_KERNEL); > + if (!buf) > + goto err; > + get_random_bytes(buf, seedsize); > + ret = crypto_rng_reset(private, buf, len); > + kzfree(buf); -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am Mittwoch, 12. November 2014, 17:15:52 schrieb Daniel Borkmann: Hi Daniel, thanks for the comments. > On 11/12/2014 08:05 AM, Stephan Mueller wrote: > > This patch adds the random number generator support for AF_ALG. > > > > A random number generator's purpose is to generate data without > > requiring the caller to provide any data. Therefore, the AF_ALG > > interface handler for RNGs only implements a callback handler for > > recvmsg. > > ... > > > +static int rng_recvmsg(struct kiocb *unused, struct socket *sock, > > + struct msghdr *msg, size_t len, int flags) > > +{ > > + struct sock *sk = sock->sk; > > + struct alg_sock *ask = alg_sk(sk); > > + struct rng_ctx *ctx = ask->private; > > + int err = -EFAULT; > > + > > + if (0 == len) > > if (len == 0) > ... > > [And also other places.] > > We don't use Yoda condition style in the kernel. Well, there is a very good reason for using the approach I have: we all have done the error of forgetting the second = sign. In my case, the compiler will complain and we fix the error right away. In your case, nobody is complaining but we introduced a nasty, potentially hard to debug error. Thus, I very much like to keep my version just to be on the safe side. Note, there was even a backdoor I have seen where the missing 2nd equal sign introduced a privilege escalation. Therefore, my standard coding practice is to have a fixed value on the left side and the variable on the right side of any comparison. > > > + return 0; > > + if (MAXSIZE < len) > > + len = MAXSIZE; > > + > > + lock_sock(sk); > > + len = crypto_rng_get_bytes(ctx->drng, ctx->result, len); > > + if (0 > len) > > + goto unlock; > > + > > + err = memcpy_toiovec(msg->msg_iov, ctx->result, len); > > + memset(ctx->result, 0, err); > > + > > This looks buggy. > > If copy_to_user() fails from within memcpy_toiovec(), we call memset() > with a negative return value which is interpreted as size_t and thus > causes a buffer overflow writing beyond ctx->result, no? > > If it succeeds, we call memset(ctx->result, 0, 0) ..... Right, good catch, I have to add a catch for negative error here. > > > +unlock: > > + release_sock(sk); > > + > > + return err ? err : len; > > +} > > + > > +static struct proto_ops algif_rng_ops = { > > + .family = PF_ALG, > > + > > + .connect = sock_no_connect, > > + .socketpair = sock_no_socketpair, > > + .getname = sock_no_getname, > > + .ioctl = sock_no_ioctl, > > + .listen = sock_no_listen, > > + .shutdown = sock_no_shutdown, > > + .getsockopt = sock_no_getsockopt, > > + .mmap = sock_no_mmap, > > + .bind = sock_no_bind, > > + .accept = sock_no_accept, > > + .setsockopt = sock_no_setsockopt, > > + .poll = sock_no_poll, > > + .sendmsg = sock_no_sendmsg, > > + .sendpage = sock_no_sendpage, > > + > > + .release = af_alg_release, > > + .recvmsg = rng_recvmsg, > > +}; > > + > > +static void *rng_bind(const char *name, u32 type, u32 mask) > > +{ > > + return crypto_alloc_rng(name, type, mask); > > +} > > + > > +static void rng_release(void *private) > > +{ > > + crypto_free_rng(private); > > +} > > + > > +static void rng_sock_destruct(struct sock *sk) > > +{ > > + struct alg_sock *ask = alg_sk(sk); > > + struct rng_ctx *ctx = ask->private; > > + > > + memset(ctx->result, 0, MAXSIZE); > > memset(ctx->result, 0, sizeof(ctx->result)); Ok, if this is desired, fine with me. > > > + sock_kfree_s(sk, ctx, ctx->len); > > + af_alg_release_parent(sk); > > +} > > + > > +static int rng_accept_parent(void *private, struct sock *sk) > > +{ > > + struct rng_ctx *ctx; > > + struct alg_sock *ask = alg_sk(sk); > > + unsigned int len = sizeof(*ctx); > > + int seedsize = crypto_rng_seedsize(private); > > + int ret = -ENOMEM; > > + > > + ctx = sock_kmalloc(sk, len, GFP_KERNEL); > > + if (!ctx) > > + return -ENOMEM; > > + memset(ctx->result, 0, MAXSIZE); > > Ditto... Will do. > > > + ctx->len = len; > > + > > + if (seedsize) { > > + u8 *buf = kmalloc(seedsize, GFP_KERNEL); > > + if (!buf) > > + goto err; > > + get_random_bytes(buf, seedsize); > > + ret = crypto_rng_reset(private, buf, len); > > + kzfree(buf); > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/
On 11/12/2014 05:54 PM, Stephan Mueller wrote: > Am Mittwoch, 12. November 2014, 17:15:52 schrieb Daniel Borkmann: >> On 11/12/2014 08:05 AM, Stephan Mueller wrote: >>> This patch adds the random number generator support for AF_ALG. >>> >>> A random number generator's purpose is to generate data without >>> requiring the caller to provide any data. Therefore, the AF_ALG >>> interface handler for RNGs only implements a callback handler for >>> recvmsg. >> >> ... >> >>> +static int rng_recvmsg(struct kiocb *unused, struct socket *sock, >>> + struct msghdr *msg, size_t len, int flags) >>> +{ >>> + struct sock *sk = sock->sk; >>> + struct alg_sock *ask = alg_sk(sk); >>> + struct rng_ctx *ctx = ask->private; >>> + int err = -EFAULT; >>> + >>> + if (0 == len) >> >> if (len == 0) >> ... >> >> [And also other places.] >> >> We don't use Yoda condition style in the kernel. > > Well, there is a very good reason for using the approach I have: we all have > done the error of forgetting the second = sign. > > In my case, the compiler will complain and we fix the error right away. > > In your case, nobody is complaining but we introduced a nasty, potentially > hard to debug error. Thus, I very much like to keep my version just to be on > the safe side. > > Note, there was even a backdoor I have seen where the missing 2nd equal sign > introduced a privilege escalation. > > Therefore, my standard coding practice is to have a fixed value on the left > side and the variable on the right side of any comparison. I understand, but then please add this proposal first into ... Documentation/CodingStyle The problem is that while the rest of the kernel does not follow this coding style, it's also much harder to read and/or program this way for people not being used to. So the danger of bugs slipping in this way is at least equally high. Besides that, this argument would also only account for '==' checks. >>> + return 0; >>> + if (MAXSIZE < len) >>> + len = MAXSIZE; >>> + >>> + lock_sock(sk); >>> + len = crypto_rng_get_bytes(ctx->drng, ctx->result, len); >>> + if (0 > len) >>> + goto unlock; >>> + >>> + err = memcpy_toiovec(msg->msg_iov, ctx->result, len); >>> + memset(ctx->result, 0, err); >>> + >> >> This looks buggy. >> >> If copy_to_user() fails from within memcpy_toiovec(), we call memset() >> with a negative return value which is interpreted as size_t and thus >> causes a buffer overflow writing beyond ctx->result, no? >> >> If it succeeds, we call memset(ctx->result, 0, 0) ..... > > Right, good catch, I have to add a catch for negative error here. Hm? Don't you rather mean to say to unconditionally do something like ... memzero_explicit(ctx->result, len); ... >>> + memset(ctx->result, 0, MAXSIZE); >> >> memset(ctx->result, 0, sizeof(ctx->result)); > > Ok, if this is desired, fine with me. Yes, please. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am Mittwoch, 12. November 2014, 18:23:27 schrieb Daniel Borkmann: Hi Daniel, >On 11/12/2014 05:54 PM, Stephan Mueller wrote: >> Am Mittwoch, 12. November 2014, 17:15:52 schrieb Daniel Borkmann: >>> On 11/12/2014 08:05 AM, Stephan Mueller wrote: >>>> This patch adds the random number generator support for AF_ALG. >>>> >>>> A random number generator's purpose is to generate data without >>>> requiring the caller to provide any data. Therefore, the AF_ALG >>>> interface handler for RNGs only implements a callback handler for >>>> recvmsg. >>> >>> ... >>> >>>> +static int rng_recvmsg(struct kiocb *unused, struct socket *sock, >>>> + struct msghdr *msg, size_t len, int flags) >>>> +{ >>>> + struct sock *sk = sock->sk; >>>> + struct alg_sock *ask = alg_sk(sk); >>>> + struct rng_ctx *ctx = ask->private; >>>> + int err = -EFAULT; >>>> + >>>> + if (0 == len) >>> >>> if (len == 0) >>> >>> ... >>> >>> [And also other places.] >>> >>> We don't use Yoda condition style in the kernel. >> >> Well, there is a very good reason for using the approach I have: we >> all have done the error of forgetting the second = sign. >> >> In my case, the compiler will complain and we fix the error right >> away. >> >> In your case, nobody is complaining but we introduced a nasty, >> potentially hard to debug error. Thus, I very much like to keep my >> version just to be on the safe side. >> >> Note, there was even a backdoor I have seen where the missing 2nd >> equal sign introduced a privilege escalation. >> >> Therefore, my standard coding practice is to have a fixed value on >> the left side and the variable on the right side of any comparison. > >I understand, but then please add this proposal first into ... > > Documentation/CodingStyle > >The problem is that while the rest of the kernel does not follow >this coding style, it's also much harder to read and/or program >this way for people not being used to. So the danger of bugs >slipping in this way is at least equally high. Besides that, this >argument would also only account for '==' checks. Ok, I can change that throughout the code. > >>>> + return 0; >>>> + if (MAXSIZE < len) >>>> + len = MAXSIZE; >>>> + >>>> + lock_sock(sk); >>>> + len = crypto_rng_get_bytes(ctx->drng, ctx->result, len); >>>> + if (0 > len) >>>> + goto unlock; >>>> + >>>> + err = memcpy_toiovec(msg->msg_iov, ctx->result, len); >>>> + memset(ctx->result, 0, err); >>>> + >>> >>> This looks buggy. >>> >>> If copy_to_user() fails from within memcpy_toiovec(), we call >>> memset() >>> with a negative return value which is interpreted as size_t and thus >>> causes a buffer overflow writing beyond ctx->result, no? >>> >>> If it succeeds, we call memset(ctx->result, 0, 0) ..... >> >> Right, good catch, I have to add a catch for negative error here. > >Hm? Don't you rather mean to say to unconditionally do something like >... > > memzero_explicit(ctx->result, len); Sorry, I was not clear: * I need to catch a failing memcpy, but not return an error. * I unconditionally use the memset after memcpy as you indicated. Once the cryptodev tree contains the memzero_explicit call, I will start picking up that function. Essentially, I throught of the line you suggested. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 11/12/2014 06:46 PM, Stephan Mueller wrote: ... > * I unconditionally use the memset after memcpy as you indicated. Once > the cryptodev tree contains the memzero_explicit call, I will start > picking up that function. Herbert merged it actually in this morning, so it's already part of the cryptodev tree by now. > Essentially, I throught of the line you suggested. Ok, thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c new file mode 100644 index 0000000..d1904d7 --- /dev/null +++ b/crypto/algif_rng.c @@ -0,0 +1,186 @@ +/* + * algif_rng: User-space interface for random number generators + * + * This file provides the user-space API for random number generators. + * + * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU General Public License, in which case the provisions of the GPL2 are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF + * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + */ + +#include <linux/module.h> +#include <crypto/rng.h> +#include <linux/random.h> +#include <crypto/if_alg.h> +#include <linux/net.h> +#include <net/sock.h> + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); +MODULE_DESCRIPTION("User-space interface for random number generators"); + +struct rng_ctx { +#define MAXSIZE 128 + u8 result[MAXSIZE]; + unsigned int len; + struct crypto_rng *drng; +}; + +static int rng_recvmsg(struct kiocb *unused, struct socket *sock, + struct msghdr *msg, size_t len, int flags) +{ + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct rng_ctx *ctx = ask->private; + int err = -EFAULT; + + if (0 == len) + return 0; + if (MAXSIZE < len) + len = MAXSIZE; + + lock_sock(sk); + len = crypto_rng_get_bytes(ctx->drng, ctx->result, len); + if (0 > len) + goto unlock; + + err = memcpy_toiovec(msg->msg_iov, ctx->result, len); + memset(ctx->result, 0, err); + +unlock: + release_sock(sk); + + return err ? err : len; +} + +static struct proto_ops algif_rng_ops = { + .family = PF_ALG, + + .connect = sock_no_connect, + .socketpair = sock_no_socketpair, + .getname = sock_no_getname, + .ioctl = sock_no_ioctl, + .listen = sock_no_listen, + .shutdown = sock_no_shutdown, + .getsockopt = sock_no_getsockopt, + .mmap = sock_no_mmap, + .bind = sock_no_bind, + .accept = sock_no_accept, + .setsockopt = sock_no_setsockopt, + .poll = sock_no_poll, + .sendmsg = sock_no_sendmsg, + .sendpage = sock_no_sendpage, + + .release = af_alg_release, + .recvmsg = rng_recvmsg, +}; + +static void *rng_bind(const char *name, u32 type, u32 mask) +{ + return crypto_alloc_rng(name, type, mask); +} + +static void rng_release(void *private) +{ + crypto_free_rng(private); +} + +static void rng_sock_destruct(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct rng_ctx *ctx = ask->private; + + memset(ctx->result, 0, MAXSIZE); + sock_kfree_s(sk, ctx, ctx->len); + af_alg_release_parent(sk); +} + +static int rng_accept_parent(void *private, struct sock *sk) +{ + struct rng_ctx *ctx; + struct alg_sock *ask = alg_sk(sk); + unsigned int len = sizeof(*ctx); + int seedsize = crypto_rng_seedsize(private); + int ret = -ENOMEM; + + ctx = sock_kmalloc(sk, len, GFP_KERNEL); + if (!ctx) + return -ENOMEM; + memset(ctx->result, 0, MAXSIZE); + + ctx->len = len; + + if (seedsize) { + u8 *buf = kmalloc(seedsize, GFP_KERNEL); + if (!buf) + goto err; + get_random_bytes(buf, seedsize); + ret = crypto_rng_reset(private, buf, len); + kzfree(buf); + if (ret) + goto err; + } + + ctx->drng = private; + ask->private = ctx; + sk->sk_destruct = rng_sock_destruct; + + return 0; + +err: + sock_kfree_s(sk, ctx, len); + return ret; +} + +static const struct af_alg_type algif_type_rng = { + .bind = rng_bind, + .release = rng_release, + .accept = rng_accept_parent, + .ops = &algif_rng_ops, + .name = "rng", + .owner = THIS_MODULE +}; + +static int __init rng_init(void) +{ + return af_alg_register_type(&algif_type_rng); +} + +void __exit rng_exit(void) +{ + int err = af_alg_unregister_type(&algif_type_rng); + BUG_ON(err); +} + +module_init(rng_init); +module_exit(rng_exit);
This patch adds the random number generator support for AF_ALG. A random number generator's purpose is to generate data without requiring the caller to provide any data. Therefore, the AF_ALG interface handler for RNGs only implements a callback handler for recvmsg. The following parameters provided with a recvmsg are processed by the RNG callback handler: * sock - to resolve the RNG context data structure accessing the RNG instance private to the socket * len - this parameter allows userspace callers to specify how many random bytes the RNG shall produce and return. As the kernel context for the RNG allocates a buffer of 128 bytes to store random numbers before copying them to userspace, the len parameter is checked that it is not larger than 128. If a caller wants more random numbers, a new request for recvmsg shall be made. The size of 128 bytes is chose because of the following considerations: * to increase the memory footprint of the kernel too much (note, that would be 128 bytes per open socket) * 128 is divisible by any typical cryptographic block size an RNG may have * A request for random numbers typically only shall supply small amount of data like for keys or IVs that should only require one invocation of the recvmsg function. Note, during instantiation of the RNG, the code checks whether the RNG implementation requires seeding. If so, the RNG is seeded with output from get_random_bytes. A fully working example using all aspects of the RNG interface is provided at http://www.chronox.de/libkcapi.html Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/algif_rng.c | 186 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) create mode 100644 crypto/algif_rng.c