Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes

[ebiederm@xmission.com (Eric W. Biederman)]

Linus Torvalds <torvalds@linux-foundation.org> writes:

> On Mon, 4 May 2009, Linus Torvalds wrote:
>> 
>> Quite frankly, the way "get_random_bytes()" works now (it does a _full_ 
>> sha thing every time), I think it's insane overkill. But I do have to 
>> admit that our current "get_random_int()" is insane _underkill_.
>
> Actually, I don't think "get_random_int()" is underkill per se (it does 
> that half md4 transform to try to hide the source of the data), but the 
> data itself is simply not modified at all, and the buffers aren't updated 
> in between rounds.
>
> In fact "secure_ip_id()" (which it uses) explicityl does that private 
> hash[] array so that the mixing that "half_md4_transform()" does do will 
> _not_ be saved for the next round - so the next round will always start 
> from the same keyptr "secret" state.
>
> I think.
>
> If that wasn't the case, and we actually kept mixing up the end result 
> back into the next iteration, I suspect the current "get_random_int()" 
> wouldn't be _nearly_ as bad as it is now. 
>
> Or maybe I'm missing some part of the transform, and we do mix the values 
> back as we do that "get_random_int()". I just don't see it. And if I'm 
> right, then I think _that_ is the real weakness of our current 
> get_random_int().

Yes, not mixing the result back (which would give us some kind of
pseudo random number generator) is the problem.

secure_ip_id, looks to be a very different kind of thing.  A seed
that is reused periodically.  Ultimately those values do change.

For the state we are mixing back into I expect we want it to be
per cpu so we don't need locks and avoid  cache line ping pongs
when we mix the state back.

I haven't seen Matts patch and couldn't find it when I did a quick
look so I don't have any idea there.

Eric