From patchwork Thu Jun 8 08:19:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 9774209 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3EE816034B for ; Thu, 8 Jun 2017 08:19:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 26DF51FF81 for ; Thu, 8 Jun 2017 08:19:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1ACFC2654B; Thu, 8 Jun 2017 08:19:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id D8C172621B for ; Thu, 8 Jun 2017 08:19:39 +0000 (UTC) Received: (qmail 9279 invoked by uid 550); 8 Jun 2017 08:19:37 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 9229 invoked from network); 8 Jun 2017 08:19:35 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=FAfYdSOsylwQ7J071pJ6i563ntjnvgKWZQ+Nl27lavY=; b=r1XfiPHPVGWiAWw/gjj8gnPsLa87Aygi1/ihe/08PXHwKs+KCFZcffHM1bBUAtMZXfOctNMJ5gRGrShVw7tNAyEQLV/PYKtjWkxCt8+4jHdX4/SJUzlZay1Dw5epxbPssv0Zmf48gZ4DER4XfF56g1QoQ3uQyDgqx9/yw1fert0=; Date: Thu, 8 Jun 2017 04:19:19 -0400 From: Theodore Ts'o To: "Jason A. Donenfeld" Cc: Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com, Greg Kroah-Hartman , David Miller , Eric Biggers Message-ID: <20170608081919.zbtwdjl32vbvd7jt@thunk.org> Mail-Followup-To: Theodore Ts'o , "Jason A. Donenfeld" , Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com, Greg Kroah-Hartman , David Miller , Eric Biggers References: <20170606174804.31124-1-Jason@zx2c4.com> <20170606174804.31124-14-Jason@zx2c4.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170606174804.31124-14-Jason@zx2c4.com> User-Agent: NeoMutt/20170113 (1.7.2) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Subject: [kernel-hardening] Re: [PATCH v4 13/13] random: warn when kernel uses unseeded randomness X-Virus-Scanned: ClamAV using ClamSMTP On Tue, Jun 06, 2017 at 07:48:04PM +0200, Jason A. Donenfeld wrote: > This enables an important dmesg notification about when drivers have > used the crng without it being seeded first. Prior, these errors would > occur silently, and so there hasn't been a great way of diagnosing these > types of bugs for obscure setups. By adding this as a config option, we > can leave it on by default, so that we learn where these issues happen, > in the field, will still allowing some people to turn it off, if they > really know what they're doing and do not want the log entries. > > However, we don't leave it _completely_ by default. An earlier version > of this patch simply had `default y`. I'd really love that, but it turns > out, this problem with unseeded randomness being used is really quite > present and is going to take a long time to fix. Thus, as a compromise > between log-messages-for-all and nobody-knows, this is `default y`, > except it is also `depends on DEBUG_KERNEL`. This will ensure that the > curious see the messages while others don't have to. > > Signed-off-by: Jason A. Donenfeld This patch is pretty spammy. On my KVM test kernel: random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 random: neigh_hash_alloc+0x77/0x8f get_random_u32 called with crng_init = 0 random: neigh_hash_alloc+0x77/0x8f get_random_u32 called with crng_init = 0 random: neigh_hash_alloc+0x77/0x8f get_random_u32 called with crng_init = 0 random: neigh_hash_alloc+0x77/0x8f get_random_u32 called with crng_init = 0 random: rt_genid_init+0x24/0x2f get_random_u32 called with crng_init = 0 random: bucket_table_alloc+0x15f/0x190 get_random_u32 called with crng_init = 0 At the very least we probably should do a logical "uniq" on the output (e.g., if we have complained about the previous callsite, don't whinge about it again). - Ted commit 9d9035bc6d7871a73d7f9aada4e63cb190874a68 Author: Theodore Ts'o Date: Thu Jun 8 04:16:59 2017 -0400 random: suppress duplicate crng_init=0 warnings Suppress duplicate CONFIG_WARN_UNSEEDED_RANDOM warnings to avoid spamming dmesg. Signed-off-by: Theodore Ts'o diff --git a/drivers/char/random.c b/drivers/char/random.c index 798f353f0d3c..3bdeef13afda 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1481,9 +1481,14 @@ void get_random_bytes(void *buf, int nbytes) __u8 tmp[CHACHA20_BLOCK_SIZE]; #ifdef CONFIG_WARN_UNSEEDED_RANDOM - if (!crng_ready()) + static void *previous = NULL; + void *caller = (void *) _RET_IP_; + + if (!crng_ready() && (READ_ONCE(previous) != caller)) { printk(KERN_NOTICE "random: %pF get_random_bytes called " - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); + "with crng_init=%d\n", caller, crng_init); + WRITE_ONCE(previous, caller); + } #endif trace_get_random_bytes(nbytes, _RET_IP_); @@ -2064,6 +2069,10 @@ u64 get_random_u64(void) bool use_lock = crng_init < 2; unsigned long flags; struct batched_entropy *batch; +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + static void *previous = NULL; + void *caller = (void *) _RET_IP_; +#endif #if BITS_PER_LONG == 64 if (arch_get_random_long((unsigned long *)&ret)) @@ -2075,9 +2084,11 @@ u64 get_random_u64(void) #endif #ifdef CONFIG_WARN_UNSEEDED_RANDOM - if (!crng_ready()) + if (!crng_ready() && (READ_ONCE(previous) != caller)) { printk(KERN_NOTICE "random: %pF get_random_u64 called " - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); + "with crng_init=%d\n", caller, crng_init); + WRITE_ONCE(previous, caller); + } #endif batch = &get_cpu_var(batched_entropy_u64); @@ -2102,14 +2113,20 @@ u32 get_random_u32(void) bool use_lock = crng_init < 2; unsigned long flags; struct batched_entropy *batch; +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + static void *previous = NULL; + void *caller = (void *) _RET_IP_; +#endif if (arch_get_random_int(&ret)) return ret; #ifdef CONFIG_WARN_UNSEEDED_RANDOM - if (!crng_ready()) + if (!crng_ready() && READ_ONCE(previous) != caller) { printk(KERN_NOTICE "random: %pF get_random_u32 called " - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); + "with crng_init=%d\n", caller, crng_init); + WRITE_ONCE(previous, caller); + } #endif batch = &get_cpu_var(batched_entropy_u32);