On Sun, Apr 22, 2018 at 11:28:52PM +0100, Ben Hutchings wrote:
> On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote:
> > 4.9-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Theodore Ts'o <ty...@mit.edu>
> >
> > commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream.
> >
> > Until the primary_crng is fully initialized, don't initialize the NUMA
> > crng nodes. Otherwise users of /dev/urandom on NUMA systems before
> > the CRNG is fully initialized can get very bad quality randomness. Of
> > course everyone should move to getrandom(2) where this won't be an
> > issue, but there's a lot of legacy code out there. This related to
> > CVE-2018-1108.
> >
> > Reported-by: Jann Horn <ja...@google.com>
> > Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...")
> > Cc: sta...@kernel.org # 4.8+
> > Signed-off-by: Theodore Ts'o <ty...@mit.edu>
> > Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
>
> In 4.9 (and probably older branches too) this leads to a deadlock:
>
> crng_reseed(primary_crng, ...) takes primary_crng.lock
> -> numa_rcng_init()
> -> crng_initialize()
> -> get_random_bytes()
> -> extract_crng()
> -> _extract_crng(primary_crng, ...) tries to take
> primary_crng.lock
>
> I think this can be fixed by backporting commit 4a072c71f49b
> "random: silence compiler warnings and fix race" but I'm not sure
> whether that depends on other changes.
According to Tetsuo Handa, it's also causing problems in mainline :(
Ted, any thoughts as to what to do here?
thanks,
greg k-h
