From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754592AbcGZEod (ORCPT ); Tue, 26 Jul 2016 00:44:33 -0400 Received: from mail-wm0-f54.google.com ([74.125.82.54]:38128 "EHLO mail-wm0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753434AbcGZEoa (ORCPT ); Tue, 26 Jul 2016 00:44:30 -0400 MIME-Version: 1.0 In-Reply-To: <20160726030201.6775-1-jason@lakedaemon.net> References: <1469471141-25669-1-git-send-email-william.c.roberts@intel.com> <20160726030201.6775-1-jason@lakedaemon.net> From: Kees Cook Date: Mon, 25 Jul 2016 21:44:27 -0700 X-Google-Sender-Auth: oZGcAt_KSU_PcJUAopzAImyPyC8 Message-ID: Subject: Re: [RFC patch 1/6] random: Simplify API for random address requests To: Jason Cooper Cc: "Roberts, William C" , linux-mm@vger.kernel.org, LKML , "kernel-hardening@lists.openwall.com" , Russell King - ARM Linux , Andrew Morton , "Theodore Ts'o" , Arnd Bergmann , Greg KH , Catalin Marinas , Will Deacon , Ralf Baechle , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "David S. Miller" , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "x86@kernel.org" , Al Viro , Nick Kralevich , Jeffrey Vander Stoep , Mark Salyzyn , Daniel Cashman Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 25, 2016 at 8:01 PM, Jason Cooper wrote: > To date, all callers of randomize_range() have set the length to 0, and > check for a zero return value. For the current callers, the only way > to get zero returned is if end <= start. Since they are all adding a > constant to the start address, this is unnecessary. > > We can remove a bunch of needless checks by simplifying the API to do > just what everyone wants, return an address between [start, start + > range]. > > While we're here, s/get_random_int/get_random_long/. No current call > site is adversely affected by get_random_int(), since all current range > requests are < MAX_UINT. However, we should match caller expectations > to avoid coming up short (ha!) in the future. > > Signed-off-by: Jason Cooper > --- > drivers/char/random.c | 17 ++++------------- > include/linux/random.h | 2 +- > 2 files changed, 5 insertions(+), 14 deletions(-) > > diff --git a/drivers/char/random.c b/drivers/char/random.c > index 0158d3bff7e5..1251cb2cbab2 100644 > --- a/drivers/char/random.c > +++ b/drivers/char/random.c > @@ -1822,22 +1822,13 @@ unsigned long get_random_long(void) > EXPORT_SYMBOL(get_random_long); > > /* > - * randomize_range() returns a start address such that > - * > - * [...... .....] > - * start end > - * > - * a with size "len" starting at the return value is inside in the > - * area defined by [start, end], but is otherwise randomized. > + * randomize_addr() returns a page aligned address within [start, start + > + * range] > */ > unsigned long > -randomize_range(unsigned long start, unsigned long end, unsigned long len) > +randomize_addr(unsigned long start, unsigned long range) Also, this series isn't bisectable since randomize_range gets removed here before the callers are updated. Perhaps add a macro that calls randomize_addr with a BUG_ON for len != 0? (And then remove it in the last patch?) -Kees > { > - unsigned long range = end - len - start; > - > - if (end <= start + len) > - return 0; > - return PAGE_ALIGN(get_random_int() % range + start); > + return PAGE_ALIGN(get_random_long() % range + start); > } > > /* Interface for in-kernel drivers of true hardware RNGs. > diff --git a/include/linux/random.h b/include/linux/random.h > index e47e533742b5..1ad877a98186 100644 > --- a/include/linux/random.h > +++ b/include/linux/random.h > @@ -34,7 +34,7 @@ extern const struct file_operations random_fops, urandom_fops; > > unsigned int get_random_int(void); > unsigned long get_random_long(void); > -unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); > +unsigned long randomize_addr(unsigned long start, unsigned long range); > > u32 prandom_u32(void); > void prandom_bytes(void *buf, size_t nbytes); > -- > 2.9.2 > -- Kees Cook Chrome OS & Brillo Security From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <20160726030201.6775-1-jason@lakedaemon.net> References: <1469471141-25669-1-git-send-email-william.c.roberts@intel.com> <20160726030201.6775-1-jason@lakedaemon.net> From: Kees Cook Date: Mon, 25 Jul 2016 21:44:27 -0700 Message-ID: Content-Type: text/plain; charset=UTF-8 Subject: [kernel-hardening] Re: [RFC patch 1/6] random: Simplify API for random address requests To: Jason Cooper Cc: "Roberts, William C" , linux-mm@vger.kernel.org, LKML , "kernel-hardening@lists.openwall.com" , Russell King - ARM Linux , Andrew Morton , Theodore Ts'o , Arnd Bergmann , Greg KH , Catalin Marinas , Will Deacon , Ralf Baechle , "benh@kernel.crashing.org" , Paul Mackerras , Michael Ellerman , "David S. Miller" , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "x86@kernel.org" , Al Viro , Nick Kralevich , Jeffrey Vander Stoep , Mark Salyzyn , Daniel Cashman List-ID: On Mon, Jul 25, 2016 at 8:01 PM, Jason Cooper wrote: > To date, all callers of randomize_range() have set the length to 0, and > check for a zero return value. For the current callers, the only way > to get zero returned is if end <= start. Since they are all adding a > constant to the start address, this is unnecessary. > > We can remove a bunch of needless checks by simplifying the API to do > just what everyone wants, return an address between [start, start + > range]. > > While we're here, s/get_random_int/get_random_long/. No current call > site is adversely affected by get_random_int(), since all current range > requests are < MAX_UINT. However, we should match caller expectations > to avoid coming up short (ha!) in the future. > > Signed-off-by: Jason Cooper > --- > drivers/char/random.c | 17 ++++------------- > include/linux/random.h | 2 +- > 2 files changed, 5 insertions(+), 14 deletions(-) > > diff --git a/drivers/char/random.c b/drivers/char/random.c > index 0158d3bff7e5..1251cb2cbab2 100644 > --- a/drivers/char/random.c > +++ b/drivers/char/random.c > @@ -1822,22 +1822,13 @@ unsigned long get_random_long(void) > EXPORT_SYMBOL(get_random_long); > > /* > - * randomize_range() returns a start address such that > - * > - * [...... .....] > - * start end > - * > - * a with size "len" starting at the return value is inside in the > - * area defined by [start, end], but is otherwise randomized. > + * randomize_addr() returns a page aligned address within [start, start + > + * range] > */ > unsigned long > -randomize_range(unsigned long start, unsigned long end, unsigned long len) > +randomize_addr(unsigned long start, unsigned long range) Also, this series isn't bisectable since randomize_range gets removed here before the callers are updated. Perhaps add a macro that calls randomize_addr with a BUG_ON for len != 0? (And then remove it in the last patch?) -Kees > { > - unsigned long range = end - len - start; > - > - if (end <= start + len) > - return 0; > - return PAGE_ALIGN(get_random_int() % range + start); > + return PAGE_ALIGN(get_random_long() % range + start); > } > > /* Interface for in-kernel drivers of true hardware RNGs. > diff --git a/include/linux/random.h b/include/linux/random.h > index e47e533742b5..1ad877a98186 100644 > --- a/include/linux/random.h > +++ b/include/linux/random.h > @@ -34,7 +34,7 @@ extern const struct file_operations random_fops, urandom_fops; > > unsigned int get_random_int(void); > unsigned long get_random_long(void); > -unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len); > +unsigned long randomize_addr(unsigned long start, unsigned long range); > > u32 prandom_u32(void); > void prandom_bytes(void *buf, size_t nbytes); > -- > 2.9.2 > -- Kees Cook Chrome OS & Brillo Security