[GIT PULL] random number generator fixes for 5.18-rc2

From: Jason A. Donenfeld
Date: Thu Apr 07 2022 - 09:29:19 EST

Next message: Javier Martinez Canillas: "Re: [PATCH] drm/vc4: Use newer fence API properly to fix build errors"
Previous message: Dan Carpenter: "Re: [PATCH v2] staging: media: ipu3: Fix AWB x_start position when rightmost stripe is used"
Next in thread: Linus Torvalds: "Re: [GIT PULL] random number generator fixes for 5.18-rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Linus,

Please pull the following five fixes to the RNG for 5.18-rc2:

- Another fixup to the fast_init/crng_init split, this time in how much
entropy is being credited, from Jan Varho.

- As discussed, we now opportunistically call try_to_generate_entropy() in
/dev/urandom reads, as a replacement for the reverted commit. I opted to not
do the more invasive wait_for_random_bytes() change at least for now,
preferring to do something smaller and more obvious for the time being, but
maybe that can be revisited as things evolve later.

- Userspace can use FUSE or userfaultfd or simply move a process to idle
priority in order to make a read from the random device never complete,
which breaks forward secrecy, fixed by overwriting sensitive bytes early on
in the function.

- Jann Horn noticed that /dev/urandom reads were only checking for pending
signals if need_resched() was true, a bug going back to the genesis commit,
now fixed by always checking for signal_pending() and calling
cond_resched(). This explains various noticeable signal delivery delays I've
seen in programs over the years that do long reads from /dev/urandom.

- In order to be more like other devices (e.g. /dev/zero) and to mitigate the
impact of fixing the above bug, which has been around forever (users have
never really needed to check the return value of read() for medium-sized
reads and so perhaps many didn't), we now move signal checking to the bottom
part of the loop, and do so every PAGE_SIZE-bytes.

Thanks,
Jason

The following changes since commit 3123109284176b1532874591f7c81f3837bbdc17:

Linux 5.18-rc1 (2022-04-03 14:08:21 -0700)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/crng/random.git tags/random-5.18-rc2-for-linus

for you to fetch changes up to e3c1c4fd9e6d14059ed93ebfe15e1c57793b1a05:

random: check for signals every PAGE_SIZE chunk of /dev/[u]random (2022-04-07 01:36:37 +0200)

----------------------------------------------------------------
Random number generator fixes for Linux 5.18-rc2.
----------------------------------------------------------------

Jan Varho (1):
random: do not split fast init input in add_hwgenerator_randomness()

Jann Horn (1):
random: check for signal_pending() outside of need_resched() check

Jason A. Donenfeld (3):
random: opportunistically initialize on /dev/urandom reads
random: do not allow user to keep crng key around on stack
random: check for signals every PAGE_SIZE chunk of /dev/[u]random

drivers/char/random.c | 74 +++++++++++++++++++++++++++------------------------
1 file changed, 39 insertions(+), 35 deletions(-)

Next message: Javier Martinez Canillas: "Re: [PATCH] drm/vc4: Use newer fence API properly to fix build errors"
Previous message: Dan Carpenter: "Re: [PATCH v2] staging: media: ipu3: Fix AWB x_start position when rightmost stripe is used"
Next in thread: Linus Torvalds: "Re: [GIT PULL] random number generator fixes for 5.18-rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]