From 6662365936965b5dceb5e70ecac9a2dc6631da79 Mon Sep 17 00:00:00 2001 From: bcook <> Date: Mon, 4 Jan 2016 02:04:56 +0000 Subject: [PATCH] Calling clone(2) with CLONE_NEWPID yields multiple processes with pid=1. Work around this particular case by reseeding whenever pid=1, but as guenther@ notes, directly calling clone(2), and then forking to match another pid, provides other ways to bypass new process detection on Linux. Hopefully at some point Linux implements something like MAP_INHERIT_ZERO, and does not invent a corresponding mechanism to subvert it. Noted by Sebastian Krahmer and the opmsg team. See http://stealth.openwall.net/crypto/randup.c for a test program. ok beck@ --- src/lib/libcrypto/arc4random/arc4random_linux.h | 5 +++-- src/lib/libcrypto/crypto/arc4random_linux.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/lib/libcrypto/arc4random/arc4random_linux.h b/src/lib/libcrypto/arc4random/arc4random_linux.h index 3296fdec..303deb57 100644 --- a/src/lib/libcrypto/arc4random/arc4random_linux.h +++ b/src/lib/libcrypto/arc4random/arc4random_linux.h @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random_linux.h,v 1.9 2015/01/15 06:57:18 deraadt Exp $ */ +/* $OpenBSD: arc4random_linux.h,v 1.10 2016/01/04 02:04:56 bcook Exp $ */ /* * Copyright (c) 1996, David Mazieres @@ -60,7 +60,8 @@ _rs_forkdetect(void) static pid_t _rs_pid = 0; pid_t pid = getpid(); - if (_rs_pid == 0 || _rs_pid != pid || _rs_forked) { + /* XXX unusual calls to clone() can bypass checks */ + if (_rs_pid == 0 || _rs_pid == 1 || _rs_pid != pid || _rs_forked) { _rs_pid = pid; _rs_forked = 0; if (rs) diff --git a/src/lib/libcrypto/crypto/arc4random_linux.h b/src/lib/libcrypto/crypto/arc4random_linux.h index 3296fdec..303deb57 100644 --- a/src/lib/libcrypto/crypto/arc4random_linux.h +++ b/src/lib/libcrypto/crypto/arc4random_linux.h @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random_linux.h,v 1.9 2015/01/15 06:57:18 deraadt Exp $ */ +/* $OpenBSD: arc4random_linux.h,v 1.10 2016/01/04 02:04:56 bcook Exp $ */ /* * Copyright (c) 1996, David Mazieres @@ -60,7 +60,8 @@ _rs_forkdetect(void) static pid_t _rs_pid = 0; pid_t pid = getpid(); - if (_rs_pid == 0 || _rs_pid != pid || _rs_forked) { + /* XXX unusual calls to clone() can bypass checks */ + if (_rs_pid == 0 || _rs_pid == 1 || _rs_pid != pid || _rs_forked) { _rs_pid = pid; _rs_forked = 0; if (rs)