github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
f03b21494d
linux/kernel/time
History
George Spelvin 81d7c56d6f random32: make prandom_u32() output unpredictable 
commit c51f8f88d7 upstream.

Non-cryptographic PRNGs may have great statistical properties, but
are usually trivially predictable to someone who knows the algorithm,
given a small sample of their output.  An LFSR like prandom_u32() is
particularly simple, even if the sample is widely scattered bits.

It turns out the network stack uses prandom_u32() for some things like
random port numbers which it would prefer are *not* trivially predictable.
Predictability led to a practical DNS spoofing attack.  Oops.

This patch replaces the LFSR with a homebrew cryptographic PRNG based
on the SipHash round function, which is in turn seeded with 128 bits
of strong random key.  (The authors of SipHash have *not* been consulted
about this abuse of their algorithm.)  Speed is prioritized over security;
attacks are rare, while performance is always wanted.

Replacing all callers of prandom_u32() is the quick fix.
Whether to reinstate a weaker PRNG for uses which can tolerate it
is an open question.

Commit f227e3ec3b ("random32: update the net random state on interrupt
and activity") was an earlier attempt at a solution.  This patch replaces
it.

Reported-by: Amit Klein <aksecurity@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: tytso@mit.edu
Cc: Florian Westphal <fw@strlen.de>
Cc: Marc Plumb <lkml.mplumb@gmail.com>
Fixes: f227e3ec3b ("random32: update the net random state on interrupt and activity")
Signed-off-by: George Spelvin <lkml@sdf.org>
Link: https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/
[ willy: partial reversal of f227e3ec3b5c; moved SIPROUND definitions
  to prandom.h for later use; merged George's prandom_seed() proposal;
  inlined siprand_u32(); replaced the net_rand_state[] array with 4
  members to fix a build issue; cosmetic cleanups to make checkpatch
  happy; fixed RANDOM32_SELFTEST build ]
[wt: backported to 4.19 -- various context adjustments]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-18 19:18:52 +01:00
..
alarmtimer.c
clockevents.c
clocksource.c clocksource: Prevent double add_timer_on() for watchdog_timer 2020-02-11 04:34:18 -08:00
hrtimer.c
itimer.c time: Prevent undefined behaviour in timespec64_to_ns() 2020-11-18 19:18:40 +01:00
jiffies.c
Kconfig
Makefile
ntp_internal.h
ntp.c
posix-clock.c
posix-cpu-timers.c
posix-stubs.c
posix-timers.c
posix-timers.h
sched_clock.c
test_udelay.c
tick-broadcast-hrtimer.c
tick-broadcast.c
tick-common.c tick/common: Touch watchdog in tick_unfreeze() on all CPUs 2020-11-18 19:18:46 +01:00
tick-internal.h
tick-oneshot.c
tick-sched.c
tick-sched.h
time.c
timeconst.bc
timeconv.c
timecounter.c
timekeeping_debug.c
timekeeping_internal.h
timekeeping.c timekeeping: Prevent 32bit truncation in scale64_check_overflow() 2020-10-01 13:14:36 +02:00
timekeeping.h
timer_list.c
timer.c random32: make prandom_u32() output unpredictable 2020-11-18 19:18:52 +01:00