From patchwork Wed Aug 3 23:39:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Cooper X-Patchwork-Id: 9262363 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DFE416048B for ; Wed, 3 Aug 2016 23:40:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D060327FA8 for ; Wed, 3 Aug 2016 23:40:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C1D2827FAB; Wed, 3 Aug 2016 23:40:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id D07AB27FB6 for ; Wed, 3 Aug 2016 23:40:04 +0000 (UTC) Received: (qmail 11758 invoked by uid 550); 3 Aug 2016 23:39:59 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 11712 invoked from network); 3 Aug 2016 23:39:58 -0000 X-MHO-User: bc22bdcf-59d3-11e6-8929-8ded99d5e9d7 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 74.99.77.15 X-Mail-Handler: DuoCircle Outbound SMTP From: Jason Cooper To: Kees Cook , Michael Ellerman , "Roberts, William C" , Yann Droneaud Cc: "Linux-MM" , LKML , "kernel-hardening" , "Russell King - ARM Linux" , Andrew Morton , "Theodore Ts'o" , Arnd Bergmann , gregkh@linuxfoundation.org, Catalin Marinas , Will Deacon , Ralf Baechle , benh@kernel.crashing.org, paulus@samba.org, "David S. Miller" , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , x86@kernel.org, viro@zeniv.linux.org.uk, Nick Kralevich , Jeffrey Vander Stoep , Daniel Cashman , Jason Cooper Date: Wed, 3 Aug 2016 23:39:07 +0000 Message-Id: <20160803233913.32511-2-jason@lakedaemon.net> X-Mailer: git-send-email 2.9.2 In-Reply-To: <20160803233913.32511-1-jason@lakedaemon.net> References: <20160728204730.27453-1-jason@lakedaemon.net> <20160803233913.32511-1-jason@lakedaemon.net> Subject: [kernel-hardening] [PATCH v3 1/7] random: Simplify API for random address requests X-Virus-Scanned: ClamAV using ClamSMTP To date, all callers of randomize_range() have set the length to 0, and check for a zero return value. For the current callers, the only way to get zero returned is if end <= start. Since they are all adding a constant to the start address, this is unnecessary. We can remove a bunch of needless checks by simplifying the API to do just what everyone wants, return an address between [start, start + range). While we're here, s/get_random_int/get_random_long/. No current call site is adversely affected by get_random_int(), since all current range requests are < UINT_MAX. However, we should match caller expectations to avoid coming up short (ha!) in the future. All current callers to randomize_range() chose to use the start address if randomize_range() failed. Therefore, we simplify things by just returning the start address on error. randomize_range() will be removed once all callers have been converted over to randomize_addr(). Signed-off-by: Jason Cooper --- Changes from v2: - s/randomize_addr/randomize_page/ (Kees Cook) - PAGE_ALIGN(start) if it wasn't (Kees Cook, Michael Ellerman) drivers/char/random.c | 33 +++++++++++++++++++++++++++++++++ include/linux/random.h | 1 + 2 files changed, 34 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 0158d3bff7e5..61cb434e3bea 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1840,6 +1840,39 @@ randomize_range(unsigned long start, unsigned long end, unsigned long len) return PAGE_ALIGN(get_random_int() % range + start); } +/** + * randomize_page - Generate a random, page aligned address + * @start: The smallest acceptable address the caller will take. + * @range: The size of the area, starting at @start, within which the + * random address must fall. + * + * If @start + @range would overflow, @range is capped. + * + * NOTE: Historical use of randomize_range, which this replaces, presumed that + * @start was already page aligned. We now align it regardless. + * + * Return: A page aligned address within [start, start + range). On error, + * @start is returned. + */ +unsigned long +randomize_page(unsigned long start, unsigned long range) +{ + if (!PAGE_ALIGNED(start)) { + range -= PAGE_ALIGN(start) - start; + start = PAGE_ALIGN(start); + } + + if (start > ULONG_MAX - range) + range = ULONG_MAX - start; + + range >>= PAGE_SHIFT; + + if (range == 0) + return start; + + return start + (get_random_long() % range << PAGE_SHIFT); +} + /* Interface for in-kernel drivers of true hardware RNGs. * Those devices may produce endless random bits and will be throttled * when our pool is full. diff --git a/include/linux/random.h b/include/linux/random.h index e47e533742b5..098fec690d65 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -35,6 +35,7 @@ extern const struct file_operations random_fops, urandom_fops; unsigned int get_random_int(void); unsigned long get_random_long(void); unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); +unsigned long randomize_page(unsigned long start, unsigned long range); u32 prandom_u32(void); void prandom_bytes(void *buf, size_t nbytes);