Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode

[gremlin () gremlin ru]

linux/drivers/char/mem.c contains the following code:

static const struct memdev {
  const char *name;
  umode_t mode;
  const struct file_operations *fops;
  struct backing_dev_info *dev_info;
} devlist[] = {
// ...
   [8] = { "random", 0666, &random_fops, NULL },
   [9] = { "urandom", 0666, &urandom_fops, NULL },
// ...
};

This allows writing to these devices by an unprivileged user
resulting in re-initializing the entropy pool (as described
in `man 4 random`) and thus making the data predictable.

Just boot the kernel with "init=/bin/sh" parameter and issue
the `ls -l /dev/*random` command - you'll see something like:

crw-rw-rw- 1 root root 1, 8 Mar 13 08:30 /dev/random
crw-rw-rw- 1 root root 1, 9 Mar 13 08:30 /dev/urandom

The obvious fix is to create these devices with mode 0644,
so only root will be able to re-initialize the entropy pool.

Possibly, this even deserves a CVE to be assigned...


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Attachment: _bin
Description: