• Theodore Ts'o's avatar
    random: use a different mixing algorithm for add_device_randomness() · dc12baac
    Theodore Ts'o authored
    add_device_randomness() use of crng_fast_load() was highly
    problematic.  Some callers of add_device_randomness() can pass in a
    large amount of static information.  This would immediately promote
    the crng_init state from 0 to 1, without really doing much to
    initialize the primary_crng's internal state with something even
    vaguely unpredictable.
    
    Since we don't have the speed constraints of add_interrupt_randomness(),
    we can do a better job mixing in the what unpredictability a device
    driver or architecture maintainer might see fit to give us, and do it
    in a way which does not bump the crng_init_cnt variable.
    
    Also, since add_device_randomness() doesn't bump any entropy
    accounting in crng_init state 0, mix the device randomness into the
    input_pool entropy pool as well.  This is related to CVE-2018-1108.
    Reported-by: default avatarJann Horn <jannh@google.com>
    Fixes: ee7998c5 ("random: do not ignore early device randomness")
    Cc: stable@kernel.org # 4.13+
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    dc12baac
random.c 65.3 KB