Issue 638275 link

Starred by 2 users

Issue metadata

Status:	Started
Owner:	█ glider@chromium.org Last visit > 30 days ago
Cc:	█ dvyukov@chromium.org drinkcat@chromium.org sonnyrao@chromium.org
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Android , Chrome
Pri:	3
Type:	Bug
Kernel-3.18 merge-merged-chromeos-3.18 Stability-Syzkaller merge-merged-chromeos-3.14

Warning due to missing input validation for RNDADDTOENTCNT

Project Member Reported by glider@chromium.org, Aug 16 2016

Issue description

The following program (reported upstream by Dmitry Vyukov, also reproducible on the current Ryu kernel with syzkaller):

========================================
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/random.h>

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}
========================================

produces the following warning:

[ 8049.706498] ------------[ cut here ]------------
[ 8049.711175] WARNING: CPU: 3 PID: 6494 at /mnt/host/source/src/third_party/kernel/v3.18/drivers/char/random.c:650 credit_entropy_bits+0x138/0x6a0()
[ 8049.724343] CPU: 3 PID: 6494 Comm: warn_entropy_ov Tainted: G     U  W      3.18.0 #80
[ 8049.732295] Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
[ 8049.738162] Call trace:
[ 8049.740662] [<ffffffc00020b064>] dump_backtrace+0x0/0x17c
[ 8049.746109] [<ffffffc00020b1f8>] show_stack+0x18/0x24
[ 8049.751212] [<ffffffc0011853b0>] dump_stack+0x94/0x100
[ 8049.756400] [<ffffffc00022c5b4>] warn_slowpath_common+0xbc/0xec
[ 8049.762369] [<ffffffc00022c748>] warn_slowpath_null+0x2c/0x38
[ 8049.768163] [<ffffffc000764a6c>] credit_entropy_bits+0x134/0x6a0
[ 8049.774218] [<ffffffc000766088>] random_ioctl+0x274/0x2d4
[ 8049.779669] [<ffffffc0003f4dd4>] do_vfs_ioctl+0x818/0x854
[ 8049.785117] [<ffffffc0003f4e7c>] SyS_ioctl+0x6c/0xb0
[ 8049.790122] ---[ end trace 4823ec8017286c7a ]---

We need to backport https://github.com/torvalds/linux/commit/86a574de4590ffe6fd3f3ca34cdcf655a78e36ec to the 3.18 branch.

Comment 1 by glider@chromium.org, Sep 19 2016

Owner: glider@chromium.org
Status: Started (was: Untriaged)

https://chromium-review.googlesource.com/#/c/386926/

Project Member

Comment 2 by bugdroid1@chromium.org, Sep 23 2016

Labels: merge-merged-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1d7e4ef219cc02543ddbae54e396216b59b7a3a0

commit 1d7e4ef219cc02543ddbae54e396216b59b7a3a0
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sun Jul 03 21:01:26 2016

UPSTREAM: random: strengthen input validation for RNDADDTOENTCNT

Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value.  It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:

random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[<      none
 >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
 [<     inline     >] credit_entropy_bits_safe drivers/char/random.c:734
 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---

This was triggered using the test program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}

It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.

Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec)
Signed-off-by: Alexander Potapenko <glider@google.com>

BUG=chromium:638275

Change-Id: Ie81cc23bfcb3a165b2e16f6dad70838e9a1161a9
Reviewed-on: https://chromium-review.googlesource.com/386926
Commit-Ready: Alexander Potapenko <glider@chromium.org>
Tested-by: Alexander Potapenko <glider@chromium.org>
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>

[modify] https://crrev.com/1d7e4ef219cc02543ddbae54e396216b59b7a3a0/drivers/char/random.c

Project Member

Comment 3 by bugdroid1@chromium.org, Mar 22 2017

Labels: merge-merged-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3a5350f4aecf15df80dfb3a62b30e8cdd6a77d41

commit 3a5350f4aecf15df80dfb3a62b30e8cdd6a77d41
Author: Theodore Ts'o <tytso@mit.edu>
Date: Wed Mar 22 03:59:56 2017

UPSTREAM: random: strengthen input validation for RNDADDTOENTCNT

Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value.  It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:

random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[<      none
 >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
 [<     inline     >] credit_entropy_bits_safe drivers/char/random.c:734
 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---

This was triggered using the test program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}

It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.

Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec)
Signed-off-by: Alexander Potapenko <glider@google.com>

BUG=chromium:638275
TEST=tested on 3.18

Change-Id: I83e2c7978dce0fff1f19ba738dac3281681198ba
Reviewed-on: https://chromium-review.googlesource.com/386562
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Alexander Potapenko <glider@chromium.org>
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/3a5350f4aecf15df80dfb3a62b30e8cdd6a77d41/drivers/char/random.c

Comment 4 by dtapu...@chromium.org, Jan 8 2018

Components: OS>Kernel

►

Issue 638275 link

Issue metadata

Warning due to missing input validation for RNDADDTOENTCNT

Issue description

Comment 1 by glider@chromium.org, Sep 19 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Sep 23 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Mar 22 2017

Comment 3 Deleted

Comment 4 by dtapu...@chromium.org, Jan 8 2018

Comment 4 Deleted

Sign in to add a comment