2 * Copyright (c) 2014 The Native Client Authors. All rights reserved.
3 * Use of this source code is governed by a BSD-style license that can be
4 * found in the LICENSE file.
7 #include "native_client/src/trusted/service_runtime/sys_random.h"
9 #include "native_client/src/shared/platform/nacl_global_secure_random.h"
10 #include "native_client/src/trusted/service_runtime/include/sys/errno.h"
11 #include "native_client/src/trusted/service_runtime/nacl_app_thread.h"
12 #include "native_client/src/trusted/service_runtime/sel_ldr.h"
16 * This syscall copies freshly-generated random data into the supplied
19 * Ideally this operation would be provided via a NaClDesc rather than via
20 * a dedicated syscall. However, if random data is read using the read()
21 * syscall, it is too easy for an innocent-but-buggy application to
22 * accidentally close() a random-data-source file descriptor, and then
23 * read() from a file that is subsequently opened with the same FD number.
24 * If the application relies on random data being unguessable, this could
25 * make the application vulnerable (e.g. see https://crbug.com/374383).
26 * This could be addressed by having a NaClDesc operation that can't
27 * accidentally be confused with a read(), but that would be more
30 * Providing a dedicated syscall is simple and removes that risk.
32 int32_t NaClSysGetRandomBytes(struct NaClAppThread *natp,
33 uint32_t buf_addr, uint32_t buf_size) {
34 struct NaClApp *nap = natp->nap;
36 uintptr_t sysaddr = NaClUserToSysAddrRange(nap, buf_addr, buf_size);
37 if (sysaddr == kNaClBadAddress)
38 return -NACL_ABI_EFAULT;
41 * Since we don't use NaClCopyOutToUser() for writing the data into the
42 * sandbox, we use NaClVmIoWillStart()/NaClVmIoHasEnded() to ensure that
43 * no mmap hole is opened up while we write the data.
45 NaClVmIoWillStart(nap, buf_addr, buf_addr + buf_size - 1);
46 NaClGlobalSecureRngGenerateBytes((uint8_t *) sysaddr, buf_size);
47 NaClVmIoHasEnded(nap, buf_addr, buf_addr + buf_size - 1);