OLD | NEW |
(Empty) | |
| 1 /* |
| 2 * Copyright (c) 2014 The Native Client Authors. All rights reserved. |
| 3 * Use of this source code is governed by a BSD-style license that can be |
| 4 * found in the LICENSE file. |
| 5 */ |
| 6 |
| 7 #include "native_client/src/trusted/service_runtime/sys_random.h" |
| 8 |
| 9 #include "native_client/src/shared/platform/nacl_global_secure_random.h" |
| 10 #include "native_client/src/trusted/service_runtime/include/sys/errno.h" |
| 11 #include "native_client/src/trusted/service_runtime/nacl_app_thread.h" |
| 12 #include "native_client/src/trusted/service_runtime/sel_ldr.h" |
| 13 |
| 14 |
| 15 /* |
| 16 * This syscall copies freshly-generated random data into the supplied |
| 17 * buffer. |
| 18 * |
| 19 * Ideally this operation would be provided via a NaClDesc rather than via |
| 20 * a dedicated syscall. However, if random data is read using the read() |
| 21 * syscall, it is too easy for an innocent-but-buggy application to |
| 22 * accidentally close() a random-data-source file descriptor, and then |
| 23 * read() from a file that is subsequently opened with the same FD number. |
| 24 * If the application relies on random data being unguessable, this could |
| 25 * make the application vulnerable (e.g. see https://crbug.com/374383). |
| 26 * This could be addressed by having a NaClDesc operation that can't |
| 27 * accidentally be confused with a read(), but that would be more |
| 28 * complicated. |
| 29 * |
| 30 * Providing a dedicated syscall is simple and removes that risk. |
| 31 */ |
| 32 int32_t NaClSysGetRandomBytes(struct NaClAppThread *natp, |
| 33 uint32_t buf_addr, uint32_t buf_size) { |
| 34 struct NaClApp *nap = natp->nap; |
| 35 |
| 36 uintptr_t sysaddr = NaClUserToSysAddrRange(nap, buf_addr, buf_size); |
| 37 if (sysaddr == kNaClBadAddress) |
| 38 return -NACL_ABI_EFAULT; |
| 39 |
| 40 /* |
| 41 * Since we don't use NaClCopyOutToUser() for writing the data into the |
| 42 * sandbox, we use NaClVmIoWillStart()/NaClVmIoHasEnded() to ensure that |
| 43 * no mmap hole is opened up while we write the data. |
| 44 */ |
| 45 NaClVmIoWillStart(nap, buf_addr, buf_addr + buf_size - 1); |
| 46 NaClGlobalSecureRngGenerateBytes((uint8_t *) sysaddr, buf_size); |
| 47 NaClVmIoHasEnded(nap, buf_addr, buf_addr + buf_size - 1); |
| 48 |
| 49 return 0; |
| 50 } |
OLD | NEW |