Re: Linux kernel + devtmpfs automount == insecure /dev/{,u}random mode

[Eduardo Tongson <propolice () gmail com>]

On Wed, Mar 13, 2013 at 8:35 AM,  <gremlin () gremlin ru> wrote:
> linux/drivers/char/mem.c contains the following code:
>
> static const struct memdev {
>   const char *name;
>   umode_t mode;
>   const struct file_operations *fops;
>   struct backing_dev_info *dev_info;
> } devlist[] = {
> // ...
>    [8] = { "random", 0666, &random_fops, NULL },
>    [9] = { "urandom", 0666, &urandom_fops, NULL },
> // ...
> };
>
> This allows writing to these devices by an unprivileged user
> resulting in re-initializing the entropy pool (as described
> in `man 4 random`) and thus making the data predictable.
>
> Just boot the kernel with "init=/bin/sh" parameter and issue
> the `ls -l /dev/*random` command - you'll see something like:
>
> crw-rw-rw- 1 root root 1, 8 Mar 13 08:30 /dev/random
> crw-rw-rw- 1 root root 1, 9 Mar 13 08:30 /dev/urandom
>
> The obvious fix is to create these devices with mode 0644,
> so only root will be able to re-initialize the entropy pool.
>
> Possibly, this even deserves a CVE to be assigned...
>
>
> --
> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
> GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=81748.

  E