From dce030eefca7316ba47cc7a6151f1563a5626245 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Tue, 2 Mar 2021 13:57:34 +0100
Subject: [PATCH] Kernel: Use RDTSC instead of get_fast_random() for syscall
 stack noise

This was the original approach before we switched to get_fast_random()
which wasn't fast enough, so we added a buffer.

Unfortunately that buffer is racy and we can actually skid past the end
of it and continue fetching "random" offsets from the adjacent memory
for a while, until we run out of kernel data segment and trip a fault.

Instead of making this even more convoluted, let's just go back to the
pleasantly simple (RDTSC & 0xff) approach. :^)

Fixes #4912.
---
 Kernel/Syscall.cpp | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/Kernel/Syscall.cpp b/Kernel/Syscall.cpp
index 14f85b4c397..fa7d5a23a1e 100644
--- a/Kernel/Syscall.cpp
+++ b/Kernel/Syscall.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
+ * Copyright (c) 2018-2021, Andreas Kling <kling@serenityos.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,7 +28,6 @@
 #include <Kernel/Arch/i386/CPU.h>
 #include <Kernel/Panic.h>
 #include <Kernel/Process.h>
-#include <Kernel/Random.h>
 #include <Kernel/ThreadTracer.h>
 #include <Kernel/VM/MemoryManager.h>
 
@@ -137,10 +136,6 @@ KResultOr<FlatPtr> handle(RegisterState& regs, FlatPtr function, FlatPtr arg1, F
 
 }
 
-constexpr int RandomByteBufferSize = 256;
-u8 g_random_byte_buffer[RandomByteBufferSize];
-int g_random_byte_buffer_offset = RandomByteBufferSize;
-
 void syscall_handler(TrapFrame* trap)
 {
     auto& regs = *trap->regs;
@@ -160,13 +155,11 @@ void syscall_handler(TrapFrame* trap)
 
     // Apply a random offset in the range 0-255 to the stack pointer,
     // to make kernel stacks a bit less deterministic.
-    // Since this is very hot code, request random data in chunks instead of
-    // one byte at a time. This is a noticeable speedup.
-    if (g_random_byte_buffer_offset == RandomByteBufferSize) {
-        get_fast_random_bytes(g_random_byte_buffer, RandomByteBufferSize);
-        g_random_byte_buffer_offset = 0;
-    }
-    auto* ptr = (char*)__builtin_alloca(g_random_byte_buffer[g_random_byte_buffer_offset++]);
+    u32 lsw;
+    u32 msw;
+    read_tsc(lsw, msw);
+
+    auto* ptr = (char*)__builtin_alloca(lsw & 0xff);
     asm volatile(""
                  : "=m"(*ptr));