When _crng_extract is called, any arch that has a registered
arch_get_random_long method, attempts to mix an unsigned long value into
the crng->state buffer, it only mixes in 32 of the 64 bits available,
because the state buffer is an array of u32 values, even though 2 u32
are expected to be filled (owing to the fact that it expects indexes 14
and 15 to be filled).
Bring the expected behavior into alignment by casting index 14 to an
unsignled long pointer, and xoring that in instead.
Tested successfully by myself
Signed-off-by: Neil Horman <nhor...@tuxdriver.com>
Reported-by: Steve Grubb <sgr...@redhat.com>
CC: "Theodore Ts'o" <ty...@mit.edu>
CC: Arnd Bergmann <a...@arndb.de>
CC: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/char/random.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 38c6d1af6d1c..8178618458ac 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -975,14 +975,16 @@ static void _extract_crng(struct crng_state *crng,
__u8 out[CHACHA_BLOCK_SIZE])
{
unsigned long v, flags;
-
+ unsigned long *archrnd;
if (crng_ready() &&
(time_after(crng_global_init_time, crng->init_time) ||
time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)))
crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL);
spin_lock_irqsave(&crng->lock, flags);
- if (arch_get_random_long(&v))
- crng->state[14] ^= v;
+ if (arch_get_random_long(&v)) {
+ archrnd = (unsigned long *)&crng->state[14];
+ *archrnd ^= v;
+ }
chacha20_block(&crng->state[0], out);
if (crng->state[12] == 0)
crng->state[13]++;
--
2.20.1
