go: crypto/rand: does not verify /dev/urandom is a character device

Posting here per my e-mail conversation with rsc@

  1. What version of Go are you using (go version)?

1.6.2

  1. What operating system and processor architecture are you using (go env)?

GOOS=linux GOARCH=amd64

  1. What did you do? If possible, provide a recipe for reproducing the error. A complete runnable program is good. A link on play.golang.org is best.

glissue

  1. What did you expect to see?

An error because /dev/urandom isn’t a character device.

  1. What did you see instead?

A normal read of the bad file.

Kernel versions < 3.17 read /dev/urandom instead of calling getrandom(2). This allows an attacker to redirect modify /dev/urandom so to a block device instead of a character device. A simple check (e.g., f.Mode()&ModeCharDevice == 0) would mostly mitigate this.

Additionally, the min:maj could be checked to see if it matches what Linux says it’s supposed to be (man 4 random says 1:9 for /dev/urandom)

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 16 (15 by maintainers)

Most upvoted comments

I also think that if the attacker is able to replace /dev/urandom, then nothing prevents him from loading a kernel module to defeat this kind of checks. It’s basically protecting the wrong thing.

+2
minux on May 28, 2016
Read more comments on GitHub
← go: crypto/elliptic: hang in doubleJacobian with Curve P-521
go: crypto/rand: warn about very slow (60-second) /dev/urandom reads →