Re: [PATCH] random: reject negative RNDADDENTROPY sizes early

Next message: Alexandre Courbot: "Re: [PATCH RFC 0/4] rust: dma: bridge zerocopy-derived types into the transmute byte-safety bound"
Previous message: Ridong Chen: "Re: [PATCH v8 04/11] cgroup/cpuset: Put all task attach related variables into attach_ctx"
In reply to: Theodore Tso: "Re: [PATCH] random: reject negative RNDADDENTROPY sizes early"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Stasiak

Date: Mon Jun 29 2026 - 03:24:13 EST

> On 29 Jun 2026, at 04:12, Theodore Tso <tytso@xxxxxxx> wrote:
>
> On Sun, Jun 28, 2026 at 01:42:27PM -0500, Jakub Stasiak wrote:
>> Reject negative len values at the ioctl boundary instead. This avoids
>> relying on the later import and write paths, and prevents an invalid
>> request from mixing user data into the pool at the clamped length
>> instead of the requested len before returning -EFAULT. Consider this
>> defense in depth.
>
> The patch isn't wrong per se, but defense in depth against what? This
> ioctl() requires root privileges, and so it's not something where we
> would need to worry about an attacker passing in invalid data to the
> ioctl. If you have CAP_SYS_ADMIN, there is far more mischief you
> could do....
>
> - Ted

Ah yes, totally fair; I think I used the wrong term there, what I
meant is more about defensive programming (earlier rejection to make
sure nothing weird happens in case of accidentally bad inputs) and not
about defending against intentional attacks by someone with root
privileges.

Jakub