diff options
author | Matt Mackall <mpm@selenic.com> | 2007-07-19 14:30:14 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-19 17:21:04 -0400 |
commit | 5a021e9ffd56c22700133ebc37d607f95be8f7bd (patch) | |
tree | 0d289c7feec4e7b3b19c7c312e8cb31532c5b9c9 | |
parent | f745bb1c73e2395e6b9961d4d915a8f8e2cd32cd (diff) |
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | drivers/char/random.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 7f5271272f91..397c714cf2ba 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c | |||
@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) | |||
693 | 693 | ||
694 | if (r->pull && r->entropy_count < nbytes * 8 && | 694 | if (r->pull && r->entropy_count < nbytes * 8 && |
695 | r->entropy_count < r->poolinfo->POOLBITS) { | 695 | r->entropy_count < r->poolinfo->POOLBITS) { |
696 | int bytes = max_t(int, random_read_wakeup_thresh / 8, | 696 | /* If we're limited, always leave two wakeup worth's BITS */ |
697 | min_t(int, nbytes, sizeof(tmp))); | ||
698 | int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; | 697 | int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; |
698 | int bytes = nbytes; | ||
699 | |||
700 | /* pull at least as many as BYTES as wakeup BITS */ | ||
701 | bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); | ||
702 | /* but never more than the buffer size */ | ||
703 | bytes = min_t(int, bytes, sizeof(tmp)); | ||
699 | 704 | ||
700 | DEBUG_ENT("going to reseed %s with %d bits " | 705 | DEBUG_ENT("going to reseed %s with %d bits " |
701 | "(%d of %d requested)\n", | 706 | "(%d of %d requested)\n", |