linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dominik Brodowski <linux@dominikbrodowski.net>
To: tytso@mit.edu
Cc: "Ivan T. Ivanov" <iivanov@suse.de>,
	Ard Biesheuvel <ardb@kernel.org>,
	linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3] random: fix crash on multiple early calls to add_bootloader_randomness()
Date: Fri, 5 Nov 2021 07:04:36 +0100	[thread overview]
Message-ID: <YYTJdLuuFAShnblb@light.dominikbrodowski.net> (raw)
In-Reply-To: <YWVKAk4h5bsUA3b6@light.dominikbrodowski.net>

If add_bootloader_randomness() or add_hwgenerator_randomness() is
called for the first time during early boot, crng_init equals 0. Then,
crng_fast_load() gets called -- which is safe to do even if the input
pool is not yet properly set up.

If the added entropy suffices to increase crng_init to 1, future calls
to add_bootloader_randomness() or add_hwgenerator_randomness() used to
progress to credit_entropy_bits(). However, if the input pool is not yet
properly set up, the cmpxchg call within that function can lead to an
infinite recursion. This is not only a hypothetical problem, as qemu
on arm64 may provide bootloader entropy via EFI and via devicetree.

As crng_global_init_time is set to != 0 once the input pool is properly
set up, check (also) for this condition to determine which branch to take.

Calls to crng_fast_load() do not modify the input pool; therefore, the
entropy_count for the input pool must not be modified at that early
stage.

Reported-by: Ivan T. Ivanov <iivanov@suse.de>
Fixes: 18b915ac6b0a ("efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness")
Tested-by: Ivan T. Ivanov <iivanov@suse.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
---
v2->v3: onle one unlikely (Ard Biesheuvel)
v1->v2: fix commit message; unmerge Reported-and-tested-by-tag (Ard Biesheuvel)

 drivers/char/random.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 605969ed0f96..18fe804c1bf8 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1763,8 +1763,8 @@ static void __init init_std_data(struct entropy_store *r)
 }
 
 /*
- * Note that setup_arch() may call add_device_randomness()
- * long before we get here. This allows seeding of the pools
+ * add_device_randomness() or add_bootloader_randomness() may be
+ * called long before we get here. This allows seeding of the pools
  * with some platform dependent data very early in the boot
  * process. But it limits our options here. We must use
  * statically allocated structures that already have all
@@ -2274,7 +2274,12 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
 {
 	struct entropy_store *poolp = &input_pool;
 
-	if (unlikely(crng_init == 0)) {
+	/* We cannot do much with the input pool until it is set up in
+	 * rand_initalize(); therefore just mix into the crng state.
+	 * As this does not affect the input pool, we cannot credit
+	 * entropy for this.
+	 */
+	if (unlikely(crng_init == 0 || crng_global_init_time == 0)) {
 		crng_fast_load(buffer, count);
 		return;
 	}

  parent reply	other threads:[~2021-11-05  7:54 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-12  8:27 [PATCH] Revert "efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness" Ivan T. Ivanov
2021-10-12  8:40 ` Dominik Brodowski
2021-10-13  7:30   ` [RESEND] " Ivan T. Ivanov
2021-10-13  7:50     ` Ard Biesheuvel
2021-10-13  8:05       ` Ivan T. Ivanov
2021-10-13  9:51       ` [RESEND] " Ivan T. Ivanov
2021-10-13  9:53         ` Ivan T. Ivanov
2021-10-13 13:23           ` Ivan T. Ivanov
2021-10-31  6:30   ` [PATCH] random: fix crash on multiple early calls to add_bootloader_randomness() Dominik Brodowski
2021-10-31 12:33     ` Ard Biesheuvel
2021-11-03  7:14       ` Dominik Brodowski
2021-11-03  7:27         ` Ard Biesheuvel
2021-11-05  6:04           ` Dominik Brodowski
2021-11-03  7:17   ` [PATCH v2] " Dominik Brodowski
2021-11-05  6:04   ` Dominik Brodowski [this message]
2021-11-24 12:32     ` [PATCH v3] " Ivan T. Ivanov
2021-12-02 11:35   ` [PATCH v3, resend] " Dominik Brodowski
2021-12-02 16:55     ` Jason A. Donenfeld
2021-12-03  7:58       ` [PATCH v4] " Dominik Brodowski
2021-12-03 15:39         ` Jason A. Donenfeld
2021-12-03 16:47           ` Jason A. Donenfeld
2021-12-03 17:01             ` Dominik Brodowski
2021-12-06  8:14           ` Ivan T. Ivanov
2021-12-30 18:05             ` Jason A. Donenfeld
2022-01-04 15:06               ` Ivan T. Ivanov
2021-12-06  5:42         ` Hsin-Yi Wang
2021-12-06 20:57           ` [PATCH v5] " Dominik Brodowski
2021-12-07  7:09             ` Hsin-Yi Wang
2021-12-07  7:14               ` Dominik Brodowski
2021-12-07 17:22             ` Jason A. Donenfeld
2021-12-20 14:48               ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YYTJdLuuFAShnblb@light.dominikbrodowski.net \
    --to=linux@dominikbrodowski.net \
    --cc=ardb@kernel.org \
    --cc=iivanov@suse.de \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).