From 80eb560a5bd7439103036867d5e09a5e0393e5d3 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 7 May 2019 17:26:55 -0400 Subject: [PATCH] random-util: hash AT_RANDOM getauxval() value before using it Let's be a bit paranoid and hash the 16 bytes we get from getauxval() before using them. AFter all they might be used by other stuff too (in particular ASLR), and we probably shouldn't end up leaking that seed though our crappy pseudo-random numbers. --- src/basic/random-util.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/basic/random-util.c b/src/basic/random-util.c index 205d5501e51..40f1928936f 100644 --- a/src/basic/random-util.c +++ b/src/basic/random-util.c @@ -28,6 +28,7 @@ #include "io-util.h" #include "missing.h" #include "random-util.h" +#include "siphash24.h" #include "time-util.h" int rdrand(unsigned long *ret) { @@ -203,14 +204,19 @@ void initialize_srand(void) { return; #if HAVE_SYS_AUXV_H - /* The kernel provides us with 16 bytes of entropy in auxv, so let's - * try to make use of that to seed the pseudo-random generator. It's - * better than nothing... */ + /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed + * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder + * to recover the original value by watching any pseudo-random bits we generate. After all the + * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't + * leak the seed for that. */ - auxv = (const void*) getauxval(AT_RANDOM); + auxv = ULONG_TO_PTR(getauxval(AT_RANDOM)); if (auxv) { - assert_cc(sizeof(x) <= 16); - memcpy(&x, auxv, sizeof(x)); + static const uint8_t auxval_hash_key[16] = { + 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f + }; + + x = (unsigned) siphash24(auxv, 16, auxval_hash_key); } else #endif x = 0; -- 2.39.2