IBAA-only RNG mode (rand_mode==1) has no seeding-readiness gate before first output
| Field | Value |
|---|---|
| ID | DF-0068 |
| Status | new |
| Severity | Info |
| CVSS 3.1 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N |
| CWE | CWE-330 Use of Insufficiently Random Values |
| File | sys/kern/kern_nrandom.c |
| Lines | 700-714 |
| Area | kern (crypto/RNG) |
| Confidence | speculative |
| Discovered | 2026-06-30 |
| Reported | pending |
Summary
In read_random (:704-707), when rand_mode == 1 (IBAA-only, settable by root
via kern.rand_mode), the function directly outputs IBAA_Byte() results with
no check that the CSPRNG pools have reached any readiness threshold. The
CSPRNG path (rand_mode == 0) blocks via csprng_get_random until
reseed_cnt > 0 (subr_csprng.c:146-148), but the IBAA path has no equivalent
gate.
IBAA is seeded during rand_initialize from nanouptime().tv_nsec (:513-515)
and warmed up (:548-549), so it is not completely unseeded. However,
nanouptime is a low-entropy source whose coarse value may be estimable by an
attacker with knowledge of boot timing. The default mode is 2 (mixed), which uses
the CSPRNG path, so this only affects systems where root has explicitly switched
to IBAA-only mode.
Recommended fix
In the rand_mode == 1 branch, add a readiness check or a minimum warmup gate.
Ideally deprecate IBAA-only mode, or ensure it requires at least one successful
CSPRNG reseed before returning data.
Timeline
- 2026-06-30 Discovered during automated file-by-file audit of
sys/kern/kern_nrandom.c. - pending Reported to DragonFlyBSD security contact.