Bug 1567306 (CVE-2018-1108)

Summary: CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: airlied, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, mchehab, mcressma, mjg59, mlangsdo, nmurray, rt-maint, rvrbovsk, security-response-team, skozina, slawomir, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: kernel 4.17-rc1 Doc Type: If docs needed, set a value
Doc Text:
A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:54:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1572053, 1572054, 1572055, 1572056, 1572073, 1572074    
Bug Blocks: 1567307    

Description Pedro Sampaio 2018-04-13 18:58:40 UTC
A weakness was found in the kernels implementation of random seed generation.  The random number seeding policy had three states.

0: The CRNG is not initialized at all
1: The CRNG has a small amount of entropy, hopefully good enough for
   early-boot, non-cryptographical use cases
2: The CRNG is fully initialized and we are sure it is safe for
   cryptographic use cases.

The crng_ready() function should only return true once we are in the
last state.  Some users of the CRNG would access the random seed data before it was seeded to an acceptable value.  Knowing this value would weaken cryptographic methods if the seed was able to be determined.

Upsteam patch:


Comment 4 Adam Mariš 2018-04-26 06:52:04 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1572074]