499786 – CVE-2009-3238 kernel: random: make get_random_int() more random [rhel-4.8.z]

Bug 499786 - CVE-2009-3238 kernel: random: make get_random_int() more random [rhel-4.8.z]

Summary: CVE-2009-3238 kernel: random: make get_random_int() more random [rhel-4.8.z]

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vitaly Mayatskikh
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:	499785
Blocks:
TreeView+	depends on / blocked

Reported:	2009-05-08 06:56 UTC by Eugene Teo (Security Response)
Modified:	2009-09-18 10:39 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	499776
Environment:
Last Closed:	2009-06-03 13:31:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Eugene Teo (Security Response) 2009-05-08 06:56:03 UTC

+++ This bug was initially created as a clone of Bug #499776 +++

Description of problem:
"It's a really simple patch that basically just open-codes the current "secure_ip_id()" call, but when open-coding it we now use a _static_ hashing area, so that it gets updated every time.

And to make sure somebody can't just start from the same original seed of all-zeroes, and then do the "half_md4_transform()" over and over until they get the same sequence as the kernel has, each iteration also mixes in the same old "current->pid + jiffies" we used - so we should now have a regular strong pseudo-number generator, but we also have one that doesn't have a single seed.

Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It has no real meaning. It could be anything. I just picked the previous seed, it's just that now we keep the state in between calls and that will feed into the next result, and that should make all the difference.

I made that hash be a per-cpu data just to avoid cache-line ping-pong: having multiple CPU's write to the same data would be fine for randomness, and add yet another layer of chaos to it, but since get_random_int() is supposed to be a fast interface I did it that way instead. I considered using "__raw_get_cpu_var()" to avoid any preemption overhead while still getting the hash be _mostly_ ping-pong free, but in the end good taste won out."

Upstream commit: http://git.kernel.org/linus/8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02

--- Additional comment from eteo on 2009-05-08 02:28:26 EDT ---

http://patchwork.kernel.org/patch/21766/

--- Additional comment from eteo on 2009-05-08 02:32:32 EDT ---

Created an attachment (id=343053)
Upstream patch

Comment 5 Jan Lieskovsky 2009-09-18 10:39:17 UTC

MITRE's CVE-2009-3238 record:
-----------------------------
The get_random_int function in drivers/char/random.c in the Linux
kernel before 2.6.30 produces insufficiently random numbers, which
allows attackers to predict the return value, and possibly defeat
protection mechanisms based on randomization, via vectors that
leverage the function's tendency to "return the same value over and
over again for long stretches of time."

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02
http://patchwork.kernel.org/patch/21766/
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30
https://bugzilla.redhat.com/show_bug.cgi?id=499785
https://bugzilla.redhat.com/show_bug.cgi?id=519692
http://www.redhat.com/support/errata/RHSA-2009-1438.html

Note You need to log in before you can comment on or make changes to this bug.