Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(mme): Replace insecure rand() with getrandom() for TMSI generation #15411

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(mme): Replace insecure rand() with getrandom() for TMSI generation #15411

wants to merge 1 commit into from

Conversation

jorgevargasmor
Copy link

Summary

This PR addresses the vulnerability related to predictable TMSI generation in Magma's Mobility Management Entity (MME). It replaces the current insecure method with a more robust approach, enhancing user privacy and security.

Test Plan

Validate the new TMSI generation method.

Security Considerations

The new TMSI generation method using getrandom() enhances security by providing unpredictable TMSI values, mitigating the risk of tracking user associations by adversaries.

@jorgevargasmor jorgevargasmor requested a review from a team as a code owner April 14, 2024 21:45
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines. label Apr 14, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thanks for opening a PR! 💯

A couple initial guidelines

Howto

  • Reviews. The "Reviewers" listed for this PR are the Magma maintainers who will shepherd it.
  • Checks. All required CI checks must pass before merge.
  • Merge. Once approved and passing CI checks, use the ready2merge label to indicate the maintainers can merge your PR.

More info

Please take a moment to read through the Magma project's

If this is your first Magma PR, also consider reading

@github-actions github-actions bot added the component: agw Access gateway-related issue label Apr 14, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 14, 2024
edited

✔️ The Semantic PR check ended with status success. See instructions on formatting your commit and pull request titles.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 14, 2024
edited

Oops! Looks like you failed the PR Check DCO. Be sure to sign all your commits.

Howto

♻️ Updated: ❌ The check is still failing the PR Check DCO after the last commit.

github-actions[bot]
github-actions bot reviewed Apr 14, 2024
View reviewed changes
lte/gateway/c/core/oai/tasks/nas/api/mme/mme_api.cpp Outdated
// note srand with seed is initialized at main
return (tmsi_t)rand();
tmsi_t tmsi = (tmsi_t) 0;
if (getrandom((void*) &tmsi, sizeof(tmsi_t), 0) != sizeof(tmsi_t) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[cpplint] reported by reviewdog 🐶
Using C-style cast. Use reinterpret_cast<void*>(...) instead [readability/casting] [4]

lte/gateway/c/core/oai/tasks/nas/api/mme/mme_api.cpp Outdated
return (tmsi_t)rand();
tmsi_t tmsi = (tmsi_t) 0;
if (getrandom((void*) &tmsi, sizeof(tmsi_t), 0) != sizeof(tmsi_t) {
tmsi = (tmsi_t) rand(); // Fallback in case of fundamental system error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[cpplint] reported by reviewdog 🐶
At least two spaces is best between code and comments [whitespace/comments] [2]

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 14, 2024
edited

FeG Lint & Test

    2 files  203 suites   39s ⏱️
374 tests 374 ✔️ 0 💤 0
388 runs  388 ✔️ 0 💤 0

Results for commit 046bc35.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 14, 2024
edited

DP Lint & Test

14 tests   14 ✔️  2m 12s ⏱️
  1 suites    0 💤
  1 files      0

Results for commit 046bc35.

♻️ This comment has been updated with latest results.

panyogesh
panyogesh approved these changes Apr 15, 2024
View reviewed changes
Copy link
Contributor

@panyogesh panyogesh left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes are fine. Please fix the issue reported in build-container job.

@panyogesh panyogesh changed the title Replace insecure rand() with getrandom() for TMSI generation fix(mme): Replace insecure rand() with getrandom() for TMSI generation Apr 15, 2024
@lucasgonze
Copy link
Contributor

Let's discuss the fallback to rand() on line 414. Can an attacker force one of these error conditions?

EAGAIN The requested entropy was not available, and getrandom()
              would have blocked if the GRND_NONBLOCK flag was not set.

       EFAULT The address referred to by buf is outside the accessible
              address space.

       EINTR  The call was interrupted by a signal handler; see the
              description of how interrupted [read(2)](https://www.man7.org/linux/man-pages/man2/read.2.html) calls on "slow"
              devices are handled with and without the SA_RESTART flag
              in the [signal(7)](https://www.man7.org/linux/man-pages/man7/signal.7.html) man page.

       EINVAL An invalid flag was specified in flags.

       ENOSYS The glibc wrapper function for getrandom() determined that
              the underlying kernel does not implement this system call.

github-actions[bot]
github-actions bot reviewed Apr 17, 2024
View reviewed changes
lte/gateway/c/core/oai/tasks/nas/api/mme/mme_api.cpp Outdated
// note srand with seed is initialized at main
return (tmsi_t)rand();
tmsi_t tmsi = (tmsi_t)0;
if (getrandom((void*) &tmsi, sizeof(tmsi_t), 0) != sizeof(tmsi_t)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[cpplint] reported by reviewdog 🐶
Using C-style cast. Use reinterpret_cast<void*>(...) instead [readability/casting] [4]

github-actions[bot]
github-actions bot reviewed Apr 17, 2024
View reviewed changes
lte/gateway/c/core/oai/tasks/nas/api/mme/mme_api.cpp
// note srand with seed is initialized at main
return (tmsi_t)rand();
tmsi_t tmsi = (tmsi_t)0;
if (getrandom((void*)&tmsi, sizeof(tmsi_t), 0) != sizeof(tmsi_t)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[cpplint] reported by reviewdog 🐶
Using C-style cast. Use reinterpret_cast<void*>(...) instead [readability/casting] [4]

@mehul-jindal
Copy link
Contributor

Hi @jorgevargasmor please sync jorgevargasmor:jorge-fix-TMSI-generation with master and replay/rebase the changes of the latest commit on top of it. While committing please use the following command to resolve the remaining failing CI jobs.

git commit --signoff -s -m "fix(mme): Replace insecure rand with getrandom for TMSI generation"

@lucasgonze lucasgonze mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions left review comments

@panyogesh panyogesh panyogesh approved these changes

@lucasgonze lucasgonze Awaiting requested review from lucasgonze lucasgonze is a code owner automatically assigned from magma/approvers-gw

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
component: agw Access gateway-related issue size/XS Denotes a PR that changes 0-9 lines.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jorgevargasmor @lucasgonze @mehul-jindal @panyogesh