From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758503AbcG1VZm (ORCPT ); Thu, 28 Jul 2016 17:25:42 -0400 Received: from pmta2.delivery5.ore.mailhop.org ([54.186.218.12]:54791 "EHLO pmta2.delivery5.ore.mailhop.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758266AbcG1VZh (ORCPT ); Thu, 28 Jul 2016 17:25:37 -0400 X-MHO-User: fc30a325-5509-11e6-8929-8ded99d5e9d7 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 74.99.77.15 X-Mail-Handler: DuoCircle Outbound SMTP From: Jason Cooper To: william.c.roberts@intel.com, Yann Droneaud , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: linux@arm.linux.org.uk, akpm@linux-foundation.org, keescook@chromium.org, tytso@mit.edu, arnd@arndb.de, gregkh@linuxfoundation.org, catalin.marinas@arm.com, will.deacon@arm.com, ralf@linux-mips.org, benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, viro@zeniv.linux.org.uk, nnk@google.com, jeffv@google.com, dcashman@android.com, Jason Cooper Subject: [PATCH 1/7] random: Simplify API for random address requests Date: Thu, 28 Jul 2016 20:47:24 +0000 Message-Id: <20160728204730.27453-2-jason@lakedaemon.net> X-Mailer: git-send-email 2.9.2 In-Reply-To: <20160728204730.27453-1-jason@lakedaemon.net> References: <20160728204730.27453-1-jason@lakedaemon.net> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org To date, all callers of randomize_range() have set the length to 0, and check for a zero return value. For the current callers, the only way to get zero returned is if end <= start. Since they are all adding a constant to the start address, this is unnecessary. We can remove a bunch of needless checks by simplifying the API to do just what everyone wants, return an address between [start, start + range). While we're here, s/get_random_int/get_random_long/. No current call site is adversely affected by get_random_int(), since all current range requests are < UINT_MAX. However, we should match caller expectations to avoid coming up short (ha!) in the future. Address generation within [start, start + range) behavior is preserved. All current callers to randomize_range() chose to use the start address if randomize_range() failed. Therefore, we simplify things by just returning the start address on error. randomize_range() will be removed once all callers have been converted over to randomize_addr(). Signed-off-by: Jason Cooper --- drivers/char/random.c | 26 ++++++++++++++++++++++++++ include/linux/random.h | 1 + 2 files changed, 27 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 0158d3bff7e5..3610774bcc53 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1840,6 +1840,32 @@ randomize_range(unsigned long start, unsigned long end, unsigned long len) return PAGE_ALIGN(get_random_int() % range + start); } +/** + * randomize_addr - Generate a random, page aligned address + * @start: The smallest acceptable address the caller will take. + * @range: The size of the area, starting at @start, within which the + * random address must fall. + * + * Before page alignment, the random address generated can be any value from + * @start, to @start + @range - 1 inclusive. + * + * If @start + @range would overflow, @range is capped. + * + * Return: A page aligned address within [start, start + range). On error, + * @start is returned. + */ +unsigned long +randomize_addr(unsigned long start, unsigned long range) +{ + if (range == 0) + return start; + + if (start > ULONG_MAX - range) + range = ULONG_MAX - start; + + return PAGE_ALIGN(get_random_long() % range + start); +} + /* Interface for in-kernel drivers of true hardware RNGs. * Those devices may produce endless random bits and will be throttled * when our pool is full. diff --git a/include/linux/random.h b/include/linux/random.h index e47e533742b5..f1ca2fa4c071 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -35,6 +35,7 @@ extern const struct file_operations random_fops, urandom_fops; unsigned int get_random_int(void); unsigned long get_random_long(void); unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); +unsigned long randomize_addr(unsigned long start, unsigned long range); u32 prandom_u32(void); void prandom_bytes(void *buf, size_t nbytes); -- 2.9.2 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id 37CF46B025F for ; Thu, 28 Jul 2016 17:25:38 -0400 (EDT) Received: by mail-pf0-f197.google.com with SMTP id 63so80396007pfx.0 for ; Thu, 28 Jul 2016 14:25:38 -0700 (PDT) Received: from pmta2.delivery5.ore.mailhop.org (pmta2.delivery5.ore.mailhop.org. [54.186.218.12]) by mx.google.com with ESMTPS id hu10si14226051pad.132.2016.07.28.14.25.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Jul 2016 14:25:37 -0700 (PDT) From: Jason Cooper Subject: [PATCH 1/7] random: Simplify API for random address requests Date: Thu, 28 Jul 2016 20:47:24 +0000 Message-Id: <20160728204730.27453-2-jason@lakedaemon.net> In-Reply-To: <20160728204730.27453-1-jason@lakedaemon.net> References: <20160728204730.27453-1-jason@lakedaemon.net> Sender: owner-linux-mm@kvack.org List-ID: To: william.c.roberts@intel.com, Yann Droneaud , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: linux@arm.linux.org.uk, akpm@linux-foundation.org, keescook@chromium.org, tytso@mit.edu, arnd@arndb.de, gregkh@linuxfoundation.org, catalin.marinas@arm.com, will.deacon@arm.com, ralf@linux-mips.org, benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, viro@zeniv.linux.org.uk, nnk@google.com, jeffv@google.com, dcashman@android.com, Jason Cooper To date, all callers of randomize_range() have set the length to 0, and check for a zero return value. For the current callers, the only way to get zero returned is if end <= start. Since they are all adding a constant to the start address, this is unnecessary. We can remove a bunch of needless checks by simplifying the API to do just what everyone wants, return an address between [start, start + range). While we're here, s/get_random_int/get_random_long/. No current call site is adversely affected by get_random_int(), since all current range requests are < UINT_MAX. However, we should match caller expectations to avoid coming up short (ha!) in the future. Address generation within [start, start + range) behavior is preserved. All current callers to randomize_range() chose to use the start address if randomize_range() failed. Therefore, we simplify things by just returning the start address on error. randomize_range() will be removed once all callers have been converted over to randomize_addr(). Signed-off-by: Jason Cooper --- drivers/char/random.c | 26 ++++++++++++++++++++++++++ include/linux/random.h | 1 + 2 files changed, 27 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 0158d3bff7e5..3610774bcc53 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1840,6 +1840,32 @@ randomize_range(unsigned long start, unsigned long end, unsigned long len) return PAGE_ALIGN(get_random_int() % range + start); } +/** + * randomize_addr - Generate a random, page aligned address + * @start: The smallest acceptable address the caller will take. + * @range: The size of the area, starting at @start, within which the + * random address must fall. + * + * Before page alignment, the random address generated can be any value from + * @start, to @start + @range - 1 inclusive. + * + * If @start + @range would overflow, @range is capped. + * + * Return: A page aligned address within [start, start + range). On error, + * @start is returned. + */ +unsigned long +randomize_addr(unsigned long start, unsigned long range) +{ + if (range == 0) + return start; + + if (start > ULONG_MAX - range) + range = ULONG_MAX - start; + + return PAGE_ALIGN(get_random_long() % range + start); +} + /* Interface for in-kernel drivers of true hardware RNGs. * Those devices may produce endless random bits and will be throttled * when our pool is full. diff --git a/include/linux/random.h b/include/linux/random.h index e47e533742b5..f1ca2fa4c071 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -35,6 +35,7 @@ extern const struct file_operations random_fops, urandom_fops; unsigned int get_random_int(void); unsigned long get_random_long(void); unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); +unsigned long randomize_addr(unsigned long start, unsigned long range); u32 prandom_u32(void); void prandom_bytes(void *buf, size_t nbytes); -- 2.9.2 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com From: Jason Cooper Date: Thu, 28 Jul 2016 20:47:24 +0000 Message-Id: <20160728204730.27453-2-jason@lakedaemon.net> In-Reply-To: <20160728204730.27453-1-jason@lakedaemon.net> References: <20160728204730.27453-1-jason@lakedaemon.net> Subject: [kernel-hardening] [PATCH 1/7] random: Simplify API for random address requests To: william.c.roberts@intel.com, Yann Droneaud , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: linux@arm.linux.org.uk, akpm@linux-foundation.org, keescook@chromium.org, tytso@mit.edu, arnd@arndb.de, gregkh@linuxfoundation.org, catalin.marinas@arm.com, will.deacon@arm.com, ralf@linux-mips.org, benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, viro@zeniv.linux.org.uk, nnk@google.com, jeffv@google.com, dcashman@android.com, Jason Cooper List-ID: To date, all callers of randomize_range() have set the length to 0, and check for a zero return value. For the current callers, the only way to get zero returned is if end <= start. Since they are all adding a constant to the start address, this is unnecessary. We can remove a bunch of needless checks by simplifying the API to do just what everyone wants, return an address between [start, start + range). While we're here, s/get_random_int/get_random_long/. No current call site is adversely affected by get_random_int(), since all current range requests are < UINT_MAX. However, we should match caller expectations to avoid coming up short (ha!) in the future. Address generation within [start, start + range) behavior is preserved. All current callers to randomize_range() chose to use the start address if randomize_range() failed. Therefore, we simplify things by just returning the start address on error. randomize_range() will be removed once all callers have been converted over to randomize_addr(). Signed-off-by: Jason Cooper --- drivers/char/random.c | 26 ++++++++++++++++++++++++++ include/linux/random.h | 1 + 2 files changed, 27 insertions(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 0158d3bff7e5..3610774bcc53 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1840,6 +1840,32 @@ randomize_range(unsigned long start, unsigned long end, unsigned long len) return PAGE_ALIGN(get_random_int() % range + start); } +/** + * randomize_addr - Generate a random, page aligned address + * @start: The smallest acceptable address the caller will take. + * @range: The size of the area, starting at @start, within which the + * random address must fall. + * + * Before page alignment, the random address generated can be any value from + * @start, to @start + @range - 1 inclusive. + * + * If @start + @range would overflow, @range is capped. + * + * Return: A page aligned address within [start, start + range). On error, + * @start is returned. + */ +unsigned long +randomize_addr(unsigned long start, unsigned long range) +{ + if (range == 0) + return start; + + if (start > ULONG_MAX - range) + range = ULONG_MAX - start; + + return PAGE_ALIGN(get_random_long() % range + start); +} + /* Interface for in-kernel drivers of true hardware RNGs. * Those devices may produce endless random bits and will be throttled * when our pool is full. diff --git a/include/linux/random.h b/include/linux/random.h index e47e533742b5..f1ca2fa4c071 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -35,6 +35,7 @@ extern const struct file_operations random_fops, urandom_fops; unsigned int get_random_int(void); unsigned long get_random_long(void); unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); +unsigned long randomize_addr(unsigned long start, unsigned long range); u32 prandom_u32(void); void prandom_bytes(void *buf, size_t nbytes); -- 2.9.2