From: "Theodore Ts'o" <tytso@mit.edu>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>,
Dave Jones <davej@redhat.com>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Greg Price <price@mit.edu>
Subject: Re: [PATCH] random: check for increase of entropy_count because of signed conversion
Date: Fri, 18 Jul 2014 17:50:54 -0400 [thread overview]
Message-ID: <20140718215054.GD18775@thunk.org> (raw)
In-Reply-To: <20140718212504.GC18775@thunk.org>
On Fri, Jul 18, 2014 at 05:25:04PM -0400, Theodore Ts'o wrote:
> > As indicated by credit_entropy_bits entropy_count cannot get negative,
> > so I don't see any reason to include a check for entropy_count < 0
> > here. Do you agree?
>
> No, the check is important; after we subtract ibytes << (ENTROPY_SHIFT
> + 3) we could drive entropy_count negative, and we don't want to
> trigger the WARN_ON().
>
> I'll modify the patch to keep the check.
Never mind, I took a closer look at the your patch, and I now
understand what you were asking. Since entropy_count should never
_start_ negative, simply checking to see if entropy_count > nfrac is
sufficient.
However, there's something a bit larger hiding here, which is we
shouldn't allow urandom_read to be passed a which is greater than
INT_MAX >> ENTROPY_SHIFT. Otherwise, the nfrac calcuation will
overflow, which can also result in too little entropy getting removed.
The other problem is that comparing since entropy_count is an int, and
nfrac is a size_t, this is a signed vs. unsigned comparison, which
will raise compiler warnings.
Let me know what you think of my revised patch, which should hopefully
add enough checks to be sufficiently paranoid. :-)
- Ted
next prev parent reply other threads:[~2014-07-18 21:51 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 15:42 perf: use after free in perf_remove_from_context Sasha Levin
2014-05-14 16:29 ` Peter Zijlstra
2014-05-14 16:32 ` Sasha Levin
2014-05-14 16:35 ` Peter Zijlstra
2014-05-14 16:38 ` Sasha Levin
2014-05-14 16:52 ` Peter Zijlstra
2014-05-14 17:09 ` Sasha Levin
2014-05-14 17:20 ` Dave Jones
2014-05-14 18:37 ` Peter Zijlstra
2014-05-28 23:52 ` Sasha Levin
2014-05-29 2:31 ` Sasha Levin
2014-05-29 7:59 ` Peter Zijlstra
2014-05-29 7:57 ` Peter Zijlstra
2014-05-29 14:47 ` Sasha Levin
2014-05-29 15:07 ` Peter Zijlstra
2014-05-29 16:44 ` Sasha Levin
2014-05-29 16:50 ` Peter Zijlstra
2014-05-29 16:52 ` Sasha Levin
2014-05-29 17:00 ` Peter Zijlstra
2014-05-29 22:37 ` Sasha Levin
2014-06-05 14:38 ` [tip:perf/core] perf: Fix use after free in perf_remove_from_context() tip-bot for Peter Zijlstra
2014-05-15 18:11 ` eventpoll __list_del_entry corruption (was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-15 18:16 ` eventpoll __list_del_entry corruption Sasha Levin
2014-06-16 9:44 ` Eric Wong
2014-05-21 8:25 ` BUG at /usr/src/linux-2.6/mm/filemap.c:202 (was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-21 13:02 ` BUG at /usr/src/linux-2.6/mm/filemap.c:202 Sasha Levin
2014-06-03 15:07 ` eventpoll __list_del_entry corruption Jason Baron
2014-06-03 15:11 ` Peter Zijlstra
2014-05-16 15:34 ` BUG_ON drivers/char/random.c:986 (Was: perf: use after free in perf_remove_from_context) Peter Zijlstra
2014-05-16 16:06 ` H. Peter Anvin
2014-05-16 16:21 ` Peter Zijlstra
2014-05-17 0:46 ` Hannes Frederic Sowa
2014-05-17 2:18 ` Theodore Ts'o
2014-05-17 16:24 ` Sasha Levin
2014-05-17 17:00 ` Peter Zijlstra
2014-07-15 4:36 ` BUG_ON drivers/char/random.c:986 Dave Jones
2014-07-15 20:29 ` Hannes Frederic Sowa
2014-07-16 8:33 ` Theodore Ts'o
2014-07-16 19:18 ` [PATCH] random: check for increase of entropy_count because of signed conversion Hannes Frederic Sowa
2014-07-18 21:25 ` Theodore Ts'o
2014-07-18 21:43 ` Hannes Frederic Sowa
2014-07-18 21:50 ` Theodore Ts'o [this message]
2014-07-18 22:07 ` Theodore Ts'o
2014-07-18 23:35 ` Hannes Frederic Sowa
2014-07-19 5:42 ` Theodore Ts'o
2014-07-19 6:20 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140718215054.GD18775@thunk.org \
--to=tytso@mit.edu \
--cc=davej@redhat.com \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=price@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.