On 06/11/2014 06:11 AM, Theodore Ts'o wrote: > On Tue, Jun 10, 2014 at 11:58:06PM -0400, George Spelvin wrote: >> You can forbid underflows, but the code doesn't forbid overflows. >> >> 1. Assume the entropy count starts at 512 bytes (input pool full) >> 2. Random writer mixes in 20 bytes of entropy into the input pool. >> 2a. Input pool entropy is, however, capped at 512 bytes. >> 3. Random extractor extracts 32 bytes of entropy from the pool. >> Succeeds because 32 < 512. Pool is left with 480 bytes of >> entropy. >> 3a. Random extractor decrements pool entropy estimate to 480 bytes. >> This is accurate. >> 4. Random writer credits pool with 20 bytes of entropy. >> 5. Input pool entropy is now 480 bytes, estimate is 500 bytes. > > Good point, that's a potential problem, although messing up the > accounting betewen 480 and 500 bytes is not nearly as bad as messing > up 0 and 20. > > It's not something where if the changes required massive changes, that > I'd necessarily feel the need to backport them to stable. It's a > certificational weakness, but it's a not disaster. >
Actually, with the new accounting code it will be even less serious, because mixing into a nearly full pool is discounted heavily -- because it is not like filling a queue; the mixing function will probabilistically overwrite existing pool entropy. So it is still a race condition, and still wrong, but it is a lot less wrong. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/