diff options
author | Jason A. Donenfeld <[email protected]> | 2022-02-08 13:00:11 +0100 |
---|---|---|
committer | Jason A. Donenfeld <[email protected]> | 2022-02-21 16:48:06 +0100 |
commit | 91c2afca290ed3034841c8c8532e69ed9e16cf34 (patch) | |
tree | 4af8f9ccf9fec175d117b7e3b6ef76fd1fd4b4ef | |
parent | a02cf3d0dd77244fd5333ac48d78871de459ae6d (diff) |
random: do not xor RDRAND when writing into /dev/random
Continuing the reasoning of "random: ensure early RDSEED goes through
mixer on init", we don't want RDRAND interacting with anything without
going through the mixer function, as a backdoored CPU could presumably
cancel out data during an xor, which it'd have a harder time doing when
being forced through a cryptographic hash function. There's actually no
need at all to be calling RDRAND in write_pool(), because before we
extract from the pool, we always do so with 32 bytes of RDSEED hashed in
at that stage. Xoring at this stage is needless and introduces a minor
liability.
Cc: Theodore Ts'o <[email protected]>
Reviewed-by: Dominik Brodowski <[email protected]>
Reviewed-by: Eric Biggers <[email protected]>
Signed-off-by: Jason A. Donenfeld <[email protected]>
-rw-r--r-- | drivers/char/random.c | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 21a067cf5b4c..d31b0b3afe2e 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1305,25 +1305,15 @@ static __poll_t random_poll(struct file *file, poll_table *wait) static int write_pool(const char __user *buffer, size_t count) { size_t bytes; - u32 t, buf[16]; + u8 buf[BLAKE2S_BLOCK_SIZE]; const char __user *p = buffer; while (count > 0) { - int b, i = 0; - bytes = min(count, sizeof(buf)); - if (copy_from_user(&buf, p, bytes)) + if (copy_from_user(buf, p, bytes)) return -EFAULT; - - for (b = bytes; b > 0; b -= sizeof(u32), i++) { - if (!arch_get_random_int(&t)) - break; - buf[i] ^= t; - } - count -= bytes; p += bytes; - mix_pool_bytes(buf, bytes); cond_resched(); } |