random: deobfuscate irq u32/u64 contributions
authorJason A. Donenfeld <Jason@zx2c4.com>
Thu, 10 Feb 2022 16:01:27 +0000 (17:01 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 30 May 2022 07:29:07 +0000 (09:29 +0200)
commit b2f408fe403800c91a49f6589d95b6759ce1b30b upstream.

In the irq handler, we fill out 16 bytes differently on 32-bit and
64-bit platforms, and for 32-bit vs 64-bit cycle counters, which doesn't
always correspond with the bitness of the platform. Whether or not you
like this strangeness, it is a matter of fact.  But it might not be a
fact you well realized until now, because the code that loaded the irq
info into 4 32-bit words was quite confusing.  Instead, this commit
makes everything explicit by having separate (compile-time) branches for
32-bit and 64-bit types.

Cc: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/char/random.c

index ef9c96d8bdfd58c003ff8bb7787db6aeed45677f..291b7e8d239382023f8968a304ccd9fb4180dd84 100644 (file)
@@ -283,7 +283,10 @@ static void mix_pool_bytes(const void *in, size_t nbytes)
 }
 
 struct fast_pool {
-       u32 pool[4];
+       union {
+               u32 pool32[4];
+               u64 pool64[2];
+       };
        unsigned long last;
        u16 reg_idx;
        u8 count;
@@ -294,10 +297,10 @@ struct fast_pool {
  * collector.  It's hardcoded for an 128 bit pool and assumes that any
  * locks that might be needed are taken by the caller.
  */
-static void fast_mix(struct fast_pool *f)
+static void fast_mix(u32 pool[4])
 {
-       u32 a = f->pool[0],     b = f->pool[1];
-       u32 c = f->pool[2],     d = f->pool[3];
+       u32 a = pool[0],        b = pool[1];
+       u32 c = pool[2],        d = pool[3];
 
        a += b;                 c += d;
        b = rol32(b, 6);        d = rol32(d, 27);
@@ -315,9 +318,8 @@ static void fast_mix(struct fast_pool *f)
        b = rol32(b, 16);       d = rol32(d, 14);
        d ^= a;                 b ^= c;
 
-       f->pool[0] = a;  f->pool[1] = b;
-       f->pool[2] = c;  f->pool[3] = d;
-       f->count++;
+       pool[0] = a;  pool[1] = b;
+       pool[2] = c;  pool[3] = d;
 }
 
 static void process_random_ready_list(void)
@@ -784,29 +786,34 @@ void add_interrupt_randomness(int irq)
        struct pt_regs *regs = get_irq_regs();
        unsigned long now = jiffies;
        cycles_t cycles = random_get_entropy();
-       u32 c_high, j_high;
-       u64 ip;
 
        if (cycles == 0)
                cycles = get_reg(fast_pool, regs);
-       c_high = (sizeof(cycles) > 4) ? cycles >> 32 : 0;
-       j_high = (sizeof(now) > 4) ? now >> 32 : 0;
-       fast_pool->pool[0] ^= cycles ^ j_high ^ irq;
-       fast_pool->pool[1] ^= now ^ c_high;
-       ip = regs ? instruction_pointer(regs) : _RET_IP_;
-       fast_pool->pool[2] ^= ip;
-       fast_pool->pool[3] ^=
-               (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs);
 
-       fast_mix(fast_pool);
+       if (sizeof(cycles) == 8)
+               fast_pool->pool64[0] ^= cycles ^ rol64(now, 32) ^ irq;
+       else {
+               fast_pool->pool32[0] ^= cycles ^ irq;
+               fast_pool->pool32[1] ^= now;
+       }
+
+       if (sizeof(unsigned long) == 8)
+               fast_pool->pool64[1] ^= regs ? instruction_pointer(regs) : _RET_IP_;
+       else {
+               fast_pool->pool32[2] ^= regs ? instruction_pointer(regs) : _RET_IP_;
+               fast_pool->pool32[3] ^= get_reg(fast_pool, regs);
+       }
+
+       fast_mix(fast_pool->pool32);
+       ++fast_pool->count;
 
        if (unlikely(crng_init == 0)) {
                if (fast_pool->count >= 64 &&
-                   crng_fast_load(fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
+                   crng_fast_load(fast_pool->pool32, sizeof(fast_pool->pool32)) > 0) {
                        fast_pool->count = 0;
                        fast_pool->last = now;
                        if (spin_trylock(&input_pool.lock)) {
-                               _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
+                               _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
                                spin_unlock(&input_pool.lock);
                        }
                }
@@ -820,7 +827,7 @@ void add_interrupt_randomness(int irq)
                return;
 
        fast_pool->last = now;
-       _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
+       _mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32));
        spin_unlock(&input_pool.lock);
 
        fast_pool->count = 0;