From: Eric Biggers <ebiggers@kernel.org>
To: "Jason A . Donenfeld " <Jason@zx2c4.com>, Theodore Ts'o <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: [PATCH v2] random: avoid mis-detecting a slow counter as a cycle counter
Date: Thu, 21 Apr 2022 16:31:52 -0700 [thread overview]
Message-ID: <20220421233152.58522-1-ebiggers@kernel.org> (raw)
From: Eric Biggers <ebiggers@google.com>
The method that try_to_generate_entropy() uses to detect a cycle counter
is to check whether two calls to random_get_entropy() return different
values. This is uncomfortably prone to false positives if
random_get_entropy() is a slow counter, as the two calls could return
different values if the counter happens to be on the cusp of a change.
Making things worse, the task can be preempted between the calls.
This is problematic because try_to_generate_entropy() doesn't do any
real entropy estimation later; it always credits 1 bit per loop
iteration. To avoid crediting garbage, it relies entirely on the
preceding check for whether a cycle counter is present.
Therefore, increase the number of counter comparisons from 1 to 3, to
greatly reduce the rate of false positive cycle counter detections.
Fixes: 50ee7529ec45 ("random: try to actively add entropy rather than passively wait for it")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
v2: compare with previous value rather than first one.
drivers/char/random.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index bf89c6f27a192..18d2d1f959683 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1382,12 +1382,22 @@ static void try_to_generate_entropy(void)
unsigned long entropy;
struct timer_list timer;
} stack;
+ int i;
+ /*
+ * We must not proceed if we don't actually have a cycle counter. To
+ * detect a cycle counter, check whether random_get_entropy() returns a
+ * new value each time. Check this multiple times to avoid false
+ * positives where a slow counter could be just on the cusp of a change.
+ */
stack.entropy = random_get_entropy();
+ for (i = 0; i < 3; i++) {
+ unsigned long entropy = random_get_entropy();
- /* Slow counter - or none. Don't even bother */
- if (stack.entropy == random_get_entropy())
- return;
+ if (stack.entropy == entropy)
+ return;
+ stack.entropy = entropy;
+ }
timer_setup_on_stack(&stack.timer, entropy_timer, 0);
while (!crng_ready() && !signal_pending(current)) {
base-commit: 939ee380b17589d026e132a1be91199409c3c934
--
2.35.2
next reply other threads:[~2022-04-21 23:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-21 23:31 Eric Biggers [this message]
2022-04-21 23:40 ` [PATCH v2] random: avoid mis-detecting a slow counter as a cycle counter Jason A. Donenfeld
2022-04-22 0:34 ` Eric Biggers
2022-04-22 9:42 ` Jason A. Donenfeld
2022-04-22 13:24 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220421233152.58522-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.