oss-sec mailing list archives
Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode
From: Eduardo Tongson <propolice () gmail com>
Date: Wed, 13 Mar 2013 08:44:47 +0000
On Wed, Mar 13, 2013 at 8:35 AM, <gremlin () gremlin ru> wrote:
linux/drivers/char/mem.c contains the following code: static const struct memdev { const char *name; umode_t mode; const struct file_operations *fops; struct backing_dev_info *dev_info; } devlist[] = { // ... [8] = { "random", 0666, &random_fops, NULL }, [9] = { "urandom", 0666, &urandom_fops, NULL }, // ... }; This allows writing to these devices by an unprivileged user resulting in re-initializing the entropy pool (as described in `man 4 random`) and thus making the data predictable. Just boot the kernel with "init=/bin/sh" parameter and issue the `ls -l /dev/*random` command - you'll see something like: crw-rw-rw- 1 root root 1, 8 Mar 13 08:30 /dev/random crw-rw-rw- 1 root root 1, 9 Mar 13 08:30 /dev/urandom The obvious fix is to create these devices with mode 0644, so only root will be able to re-initialize the entropy pool. Possibly, this even deserves a CVE to be assigned... -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=81748. E
Current thread:
- Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode gremlin (Mar 13)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode Tim Brown (Mar 13)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode Eduardo Tongson (Mar 13)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode Pavel Labushev (Mar 13)
- <Possible follow-ups>
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode gremlin (Mar 13)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode gremlin (Mar 13)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode Kurt Seifried (Mar 14)
- Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode gremlin (Mar 13)