From owner-svn-src-all@freebsd.org  Sat Oct 20 21:45:18 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04542FF7409;
 Sat, 20 Oct 2018 21:45:18 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AADF48B85B;
 Sat, 20 Oct 2018 21:45:17 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A5E2823DF6;
 Sat, 20 Oct 2018 21:45:17 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w9KLjHKc045449;
 Sat, 20 Oct 2018 21:45:17 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w9KLjHgH045448;
 Sat, 20 Oct 2018 21:45:17 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201810202145.w9KLjHgH045448@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: Conrad Meyer <cem@FreeBSD.org>
Date: Sat, 20 Oct 2018 21:45:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r339496 - head/lib/libc/gen
X-SVN-Group: head
X-SVN-Commit-Author: cem
X-SVN-Commit-Paths: head/lib/libc/gen
X-SVN-Commit-Revision: 339496
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2018 21:45:18 -0000

Author: cem
Date: Sat Oct 20 21:45:17 2018
New Revision: 339496
URL: https://svnweb.freebsd.org/changeset/base/339496

Log:
  getentropy(3): Trap non-API errnos from getrandom(2) and abort
  
  Additionally, reconcile our abort behavior with arc4random(3).  Unlike
  SIGABRT, SIGKILL cannot be caught by the user program.  These failures
  are fatal conditions and should not return to the caller, as they did in
  the instance that resulted in D17049.
  
  While here, fix some minor typos in a comment.
  
  Reviewed by:	delphij
  Sponsored by:	Dell EMC Isilon
  Differential Revision:	https://reviews.freebsd.org/D17050

Modified:
  head/lib/libc/gen/getentropy.c

Modified: head/lib/libc/gen/getentropy.c
==============================================================================
--- head/lib/libc/gen/getentropy.c	Sat Oct 20 21:33:34 2018	(r339495)
+++ head/lib/libc/gen/getentropy.c	Sat Oct 20 21:45:17 2018	(r339496)
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysctl.h>
 
 #include <errno.h>
+#include <signal.h>
 #include <stdbool.h>
 #include <stdlib.h>
 
@@ -44,6 +45,12 @@ __FBSDID("$FreeBSD$");
 
 extern int __sysctl(int *, u_int, void *, size_t *, void *, size_t);
 
+static inline void
+_getentropy_fail(void)
+{
+	raise(SIGKILL);
+}
+
 static size_t
 arnd_sysctl(u_char *buf, size_t size)
 {
@@ -87,14 +94,14 @@ getentropy_fallback(void *buf, size_t buflen)
 		if (errno == EFAULT)
 			return (-1);
 		/*
-		 * This cannot happen.  _arc4_sysctl() spins until the random
+		 * This cannot happen.  arnd_sysctl() spins until the random
 		 * device is seeded and then repeatedly reads until the full
 		 * request is satisfied.  The only way for this to return a zero
 		 * byte or short read is if sysctl(2) on the kern.arandom MIB
-		 * fails.  In this case, exceping the user-provided-a-bogus-
+		 * fails.  In this case, excepting the user-provided-a-bogus-
 		 * buffer EFAULT, give up (like for arc4random(3)'s arc4_stir).
 		 */
-		abort();
+		_getentropy_fail();
 	}
 	return (0);
 }
@@ -129,8 +136,10 @@ getentropy(void *buf, size_t buflen)
 					continue;
 				case EINTR:
 					continue;
-				default:
+				case EFAULT:
 					return (-1);
+				default:
+					_getentropy_fail();
 				}
 			}
 		} else {
@@ -139,7 +148,7 @@ getentropy(void *buf, size_t buflen)
 
 		/* This cannot happen. */
 		if (rd == 0)
-			abort();
+			_getentropy_fail();
 
 		buf = (char *)buf + rd;
 		buflen -= rd;