[src/trunk]: src/sys/kern An undocumented behavior of the sysctl kern.arandom...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/kern An undocumented behavior of the sysctl kern.arandom...
From: tls <tls%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 21:40:17 +0000

details:   https://anonhg.NetBSD.org/src/rev/13444f1ba6fc
branches:  trunk
changeset: 771418:13444f1ba6fc
user:      tls <tls%NetBSD.org@localhost>
date:      Sun Nov 20 01:09:14 2011 +0000

description:
An undocumented behavior of the sysctl kern.arandom node used to allow
sucking up to 8192 bytes out of the kernel arc4random() generator at a
time.  Supposedly some very old application code uses this to rekey
other instances of RC4 in userspace (a truly great idea).  Reduce the
limit to 256 bytes -- and note that it will probably be reduced to
sizeof(int) in the future, since this node is so documented.

diffstat:

 sys/kern/init_sysctl.c |  21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diffs (42 lines):

diff -r e65f72d08828 -r 13444f1ba6fc sys/kern/init_sysctl.c
--- a/sys/kern/init_sysctl.c    Sun Nov 20 00:45:15 2011 +0000
+++ b/sys/kern/init_sysctl.c    Sun Nov 20 01:09:14 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: init_sysctl.c,v 1.184 2011/11/19 22:51:25 tls Exp $ */
+/*     $NetBSD: init_sysctl.c,v 1.185 2011/11/20 01:09:14 tls Exp $ */
 
 /*-
  * Copyright (c) 2003, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.184 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.185 2011/11/20 01:09:14 tls Exp $");
 
 #include "opt_sysv.h"
 #include "opt_compat_netbsd.h"
@@ -1419,7 +1419,22 @@
 
        if (*oldlenp == 0)
                return 0;
-       if (*oldlenp > 8192)
+       /*
+        * This code used to allow sucking 8192 bytes at a time out
+        * of the kernel arc4random generator.  Evidently there is some
+        * very old OpenBSD application code that may try to do this.
+        *
+        * Note that this node is documented as type "INT" -- 4 or 8
+        * bytes, not 8192.
+        *
+        * We continue to support this abuse of the "len" pointer here
+        * but only 256 bytes at a time, as, anecdotally, the actual
+        * application use here was to generate RC4 keys in userspace.
+        *
+        * Support for such large requests will probably be removed
+        * entirely in the future.
+        */
+       if (*oldlenp > 256)
                return E2BIG;
 
        v = kmem_alloc(*oldlenp, KM_SLEEP);

Prev by Date: [src/trunk]: src/sys/dev Add very, very temporary and ugly work around for my...
Next by Date: [src/trunk]: src/sbin/iscsid simplify code by removing a useless "#define STA...
Previous by Thread: [src/trunk]: src/sys/dev Add very, very temporary and ugly work around for my...
Next by Thread: [src/trunk]: src/sbin/iscsid simplify code by removing a useless "#define STA...
Indexes:

Home | Main Index | Thread Index | Old Index