Headline
CVE-2020-16166: git/torvalds/linux.git - Linux kernel source tree
The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.
This modifies the first 32 bits out of the 128 bits of a random CPU’s net_rand_state on interrupt or CPU activity to complicate remote observations that could lead to guessing the network RNG’s internal state. Note that depending on some network devices’ interrupt rate moderation or binding, this re-seeding might happen on every packet or even almost never. In addition, with NOHZ some CPUs might not even get timer interrupts, leaving their local state rarely updated, while they are running networked processes making use of the random state. For this reason, we also perform this update in update_process_times() in order to at least update the state when there is user or system activity, since it’s the only case we care about. Reported-by: Amit Klein [email protected] Suggested-by: Linus Torvalds [email protected] Cc: Eric Dumazet [email protected] Cc: “Jason A. Donenfeld” [email protected] Cc: Andy Lutomirski [email protected] Cc: Kees Cook [email protected] Cc: Thomas Gleixner [email protected] Cc: Peter Zijlstra [email protected] Cc: [email protected] Signed-off-by: Willy Tarreau [email protected] Signed-off-by: Linus Torvalds [email protected]
@@ -1277,6 +1277,7 @@ void add_interrupt_randomness(int irq, int irq_flags)
fast_mix(fast_pool);
add_interrupt_bench(cycles);
+ this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]);
if (unlikely(crng_init == 0)) {
if ((fast_pool->count >= 64) &&
@@ -11,6 +11,7 @@
#include <linux/kernel.h>
#include <linux/list.h>
#include <linux/once.h>
+#include <linux/percpu.h>
#include <uapi/linux/random.h>
@@ -119,6 +120,8 @@ struct rnd_state {
__u32 s1, s2, s3, s4;
};
+DECLARE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
u32 prandom_u32_state(struct rnd_state *state);
void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state);
@@ -43,6 +43,7 @@
#include <linux/sched/debug.h>
#include <linux/slab.h>
#include <linux/compat.h>
+#include <linux/random.h>
#include <linux/uaccess.h>
#include <asm/unistd.h>
@@ -1742,6 +1743,13 @@ void update_process_times(int user_tick)
scheduler_tick();
if (IS_ENABLED(CONFIG_POSIX_TIMERS))
run_posix_cpu_timers();
+ /* The current CPU might make use of net randoms without receiving IRQs
+ * to renew them often enough. Let’s update the net_rand_state from a
+ * non-constant value that’s not affine to the number of calls to make
+ * sure it’s updated when there’s some activity (we don’t care in idle).
+ */
+ this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick);
}
/**
diff --git a/lib/random32.c b/lib/random32.c
index 763b920a6206c…c4d317be2997b 100644
— a/lib/random32.c
+++ b/lib/random32.c
@@ -48,7 +48,7 @@ static inline void prandom_state_selftest(void)
}
#endif
-static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
+DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
/**
* prandom_u32_state - seeded pseudo-random number generator.