[PATCH v3] gcc-plugins: latent_entropy: use /dev/urandom

From: Jason A. Donenfeld
Date: Mon Apr 04 2022 - 19:15:30 EST


While the latent entropy plugin mostly doesn't derive entropy from
get_random_const() for measuring the call graph, when __latent_entropy is
applied to a constant, then it's initialized statically to output from
get_random_const(). In that case, this data is derived from a 64-bit
seed, which means a buffer of 512 bits doesn't really have that amount
of compile-time entropy.

This patch fixes that shortcoming by just buffering chunks of
/dev/urandom output and doling it out as requested.

At the same time, it's important that we don't break the use of
-frandom-seed, for people who want the runtime benefits of the latent
entropy plugin, while still having compile-time determinism. In that
case, we detect whether a seed is in use via the local_ticks variable,
which the documentation explains is, "-1u, if the user has specified a
particular random seed."

Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin")
Cc: stable@xxxxxxxxxxxxxxx
Cc: PaX Team <pageexec@xxxxxxxxxxx>
Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
---
Changes v2->v3:
- Drop change to xorshift for deterministic thing. This can be done
later if anybody actually finds a good reason for it.
- Drop change of plugin version. Since Kees is proposing a change in
the versioning scheme, that can also be a separate patch.
- At Pipacs' suggestion, use local_ticks for determining if
-frandom-seed is being used, since that's what gcc says to do.

scripts/gcc-plugins/latent_entropy_plugin.c | 44 ++++++++++++++-------
1 file changed, 30 insertions(+), 14 deletions(-)

diff --git a/scripts/gcc-plugins/latent_entropy_plugin.c b/scripts/gcc-plugins/latent_entropy_plugin.c
index 589454bce930..435b956ac1bd 100644
--- a/scripts/gcc-plugins/latent_entropy_plugin.c
+++ b/scripts/gcc-plugins/latent_entropy_plugin.c
@@ -87,24 +87,40 @@ static struct plugin_info latent_entropy_plugin_info = {
};

static unsigned HOST_WIDE_INT seed;
-/*
- * get_random_seed() (this is a GCC function) generates the seed.
- * This is a simple random generator without any cryptographic security because
- * the entropy doesn't come from here.
- */
+static unsigned HOST_WIDE_INT rnd_buf[256];
+static size_t rnd_idx = ARRAY_SIZE(rnd_buf);
+static int urandom_fd = -1;
+
static unsigned HOST_WIDE_INT get_random_const(void)
{
- unsigned int i;
- unsigned HOST_WIDE_INT ret = 0;
-
- for (i = 0; i < 8 * sizeof(ret); i++) {
- ret = (ret << 1) | (seed & 1);
- seed >>= 1;
- if (ret & 1)
- seed ^= 0xD800000000000000ULL;
+ /*
+ * When local_tick==-1, the user has specified a seed using
+ * -frandom-seed, which means we should do something deterministic.
+ */
+ if (local_tick == -1U) {
+ unsigned HOST_WIDE_INT ret = 0;
+ size_t i;
+
+ for (i = 0; i < 8 * sizeof(ret); i++) {
+ ret = (ret << 1) | (seed & 1);
+ seed >>= 1;
+ if (ret & 1)
+ seed ^= 0xD800000000000000ULL;
+ }
+ return ret;
}

- return ret;
+ if (urandom_fd < 0) {
+ urandom_fd = open("/dev/urandom", O_RDONLY);
+ if (urandom_fd < 0)
+ abort();
+ }
+ if (rnd_idx >= ARRAY_SIZE(rnd_buf)) {
+ if (read(urandom_fd, rnd_buf, sizeof(rnd_buf)) != sizeof(rnd_buf))
+ abort();
+ rnd_idx = 0;
+ }
+ return rnd_buf[rnd_idx++];
}

static tree tree_get_random_const(tree type)
--
2.35.1