DragonFlyBSD Kernel Audit
← dashboard
DF-0068

IBAA-only RNG mode (rand_mode==1) has no seeding-readiness gate before first output

Field Value
ID DF-0068
Status new
Severity Info
CVSS 3.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE CWE-330 Use of Insufficiently Random Values
File sys/kern/kern_nrandom.c
Lines 700-714
Area kern (crypto/RNG)
Confidence speculative
Discovered 2026-06-30
Reported pending

Summary

In read_random (:704-707), when rand_mode == 1 (IBAA-only, settable by root via kern.rand_mode), the function directly outputs IBAA_Byte() results with no check that the CSPRNG pools have reached any readiness threshold. The CSPRNG path (rand_mode == 0) blocks via csprng_get_random until reseed_cnt > 0 (subr_csprng.c:146-148), but the IBAA path has no equivalent gate.

IBAA is seeded during rand_initialize from nanouptime().tv_nsec (:513-515) and warmed up (:548-549), so it is not completely unseeded. However, nanouptime is a low-entropy source whose coarse value may be estimable by an attacker with knowledge of boot timing. The default mode is 2 (mixed), which uses the CSPRNG path, so this only affects systems where root has explicitly switched to IBAA-only mode.

In the rand_mode == 1 branch, add a readiness check or a minimum warmup gate. Ideally deprecate IBAA-only mode, or ensure it requires at least one successful CSPRNG reseed before returning data.

Timeline

  • 2026-06-30 Discovered during automated file-by-file audit of sys/kern/kern_nrandom.c.
  • pending Reported to DragonFlyBSD security contact.