Skip to content

GitLab

An error occurred while fetching folder content.
Switch branch/tag
History Find file
Clone
random32: make prandom_u32() output unpredictable
George Spelvin authored 
commit c51f8f88 upstream.

Non-cryptographic PRNGs may have great statistical properties, but
are usually trivially predictable to someone who knows the algorithm,
given a small sample of their output.  An LFSR like prandom_u32() is
particularly simple, even if the sample is widely scattered bits.

It turns out the network stack uses prandom_u32() for some things like
random port numbers which it would prefer are *not* trivially predictable.
Predictability led to a practical DNS spoofing attack.  Oops.

This patch replaces the LFSR with a homebrew cryptographic PRNG based
on the SipHash round function, which is in turn seeded with 128 bits
of strong random key.  (The authors of SipHash have *not* been consulted
about this abuse of their algorithm.)  Speed is prioritized over security;
attacks are rare, while performance is always wanted.

Replacing all callers of prandom_u32() is the quick fix.
Whether to reinstate a weaker PRNG for uses which can tolerate it
is an open question.

Commit f227e3ec

 ("random32: update the net random state on interrupt
and activity") was an earlier attempt at a solution.  This patch replaces
it.
Reported-by: default avatarAmit Klein <aksecurity@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: tytso@mit.edu
Cc: Florian Westphal <fw@strlen.de>
Cc: Marc Plumb <lkml.mplumb@gmail.com>
Fixes: f227e3ec

 ("random32: update the net random state on interrupt and activity")
Signed-off-by: default avatarGeorge Spelvin <lkml@sdf.org>
Link: https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/
[ willy: partial reversal of f227e3ec

; moved SIPROUND definitions
  to prandom.h for later use; merged George's prandom_seed() proposal;
  inlined siprand_u32(); replaced the net_rand_state[] array with 4
  members to fix a build issue; cosmetic cleanups to make checkpatch
  happy; fixed RANDOM32_SELFTEST build ]
[wt: backported to 4.19 -- various context adjustments]
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
81d7c56d
Name Last commit Last update
..
842 License cleanup: add SPDX GPL-2.0 license identifier to files with no license
fonts Fonts: Replace discarded const qualifier
lz4 lib/lz4: make arrays static const, reduces object code size
lzo License cleanup: add SPDX GPL-2.0 license identifier to files with no license
mpi lib/mpi: Fix 64-bit MIPS build with Clang
raid6 lib/raid6: use vdupq_n_u8 to avoid endianness warnings
reed_solomon rslib: Fix handling of of caller provided syndrome
xz lib/xz: Put CRC32_POLY_LE in xz_private.h
zlib_deflate zlib_deflate/deftree: remove bi_reverse()
zlib_inflate lib/zlib: remove outdated and incorrect pre-increment optimization
zstd lib: zstd: clean up Makefile for simpler composite object handling
.gitignore lib: add crc64 calculation routines
Kconfig lib/Kconfig: remove 'default n' for tests
Kconfig.debug kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
Kconfig.kasan kasan: only select SLUB_DEBUG with SYSFS=y
Kconfig.kgdb lib: update location of kgdb documentation
Kconfig.ubsan lib/ubsan: remove null-pointer checks
Makefile ubsan: build ubsan.c more conservatively
argv_split.c treewide: kmalloc() -> kmalloc_array()
ashldi3.c move libgcc.h to include/linux
ashrdi3.c move libgcc.h to include/linux
asn1_decoder.c ASN.1: check for error from ASN1_OP_END__ACT actions
assoc_array.c assoc_array: Fix shortcut creation
atomic64.c atomics/generic: Define atomic64_fetch_add_unless()
atomic64_test.c lib/atomic64_test.c: add a test that atomic64_inc_not_zero() returns an int
audit.c
bcd.c
bch.c
bitmap.c
bitrev.c
bsearch.c
btree.c
bucket_locks.c
bug.c
build_OID_registry
bust_spinlocks.c
chacha20.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
cmpdi2.c
compat_audit.c
cordic.c
cpu_rmap.c
cpumask.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc4.c
crc64.c
crc7.c
crc8.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c
dec_and_lock.c
decompress.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
devres.c
digsig.c
div64.c
dump_stack.c
dynamic_debug.c
dynamic_queue_limits.c
earlycpio.c
error-inject.c
errseq.c
extable.c
fault-inject.c
fdt.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c
find_bit_benchmark.c
flex_array.c
flex_proportions.c
gcd.c
gen_crc32table.c
gen_crc64table.c
genalloc.c
glob.c
globtest.c
hexdump.c
hweight.c