jirka-h / haveged

Entropy daemon ![Continuous Integration](https://github.com/jirka-h/haveged/workflows/Continuous%20Integration/badge.svg)
GNU General Public License v3.0
273 stars 34 forks source link

Insecure haveged synchronization during switchroot. #77

Closed OttoHollmann closed 1 year ago

OttoHollmann commented 1 year ago

After applying PR #74 we found potential security issue with named semaphore. It's using fixed name file (semaphore) in /dev/shm/ which is writable for everybody. So anybody can create this file before haveged started and block it before starting.

I tried to replace named semaphore with something like this:

/src/havegecmd.c
@@ -265,7 +265,23 @@ int socket_handler(                /* RETURN: closed file descriptor        */
       }

    if (magic[1] == '\002') {       /* ASCII start of text: read argument provided */
+      int avail = 0;
+
+      /*
+       * wait for the haveged -c instance to finish writing (at least 4 bytes
+       * can be read from socket) before continuing to read from the socket
+       */
+      while (ioctl(fd, FIONREAD, &avail) != 0 || avail < 4) {
+          sleep(1);
+          }

       ret = receive_uinteger(fd, &alen);
       if (ret < 0) {

but with no success.

Do you have any idea how to properly synchronize haveged instances during switch root?

jirka-h commented 1 year ago

Hi Otto,

I'm sorry - I don't know how to fix that.

Jirka