From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
security@kernel.org, Willy Tarreau <w@1wt.eu>,
Matt Mackall <mpm@selenic.com>,
Chris Wright <chrisw@sous-sol.org>
Subject: [patch 02/12] random: fix bound check ordering (CVE-2007-3105)
Date: Tue, 14 Aug 2007 00:28:50 -0700 [thread overview]
Message-ID: <20070814072850.GC15025@kroah.com> (raw)
In-Reply-To: <20070814072813.GA15025@kroah.com>
[-- Attachment #1: random-fix-bound-check-ordering.patch --]
[-- Type: text/plain, Size: 1441 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Matt Mackall <mpm@selenic.com>
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/char/random.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct e
if (r->pull && r->entropy_count < nbytes * 8 &&
r->entropy_count < r->poolinfo->POOLBITS) {
- int bytes = max_t(int, random_read_wakeup_thresh / 8,
- min_t(int, nbytes, sizeof(tmp)));
+ /* If we're limited, always leave two wakeup worth's BITS */
int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+ int bytes = nbytes;
+
+ /* pull at least as many as BYTES as wakeup BITS */
+ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+ /* but never more than the buffer size */
+ bytes = min_t(int, bytes, sizeof(tmp));
DEBUG_ENT("going to reseed %s with %d bits "
"(%d of %d requested)\n",
--
next prev parent reply other threads:[~2007-08-14 7:47 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070814072244.882283903@mini.kroah.org>
2007-08-14 7:28 ` [patch 00/12] 2.6.22-stable review Greg KH
2007-08-14 7:28 ` [patch 01/12] fix oops in __audit_signal_info() Greg KH
2007-08-14 7:28 ` Greg KH [this message]
2007-08-14 7:28 ` [patch 03/12] softmac: Fix deadlock of wx_set_essid with assoc work Greg KH
2007-08-14 7:28 ` Greg KH
2007-08-14 7:29 ` [patch 04/12] ata_piix: update map 10b for ich8m Greg KH
2007-08-14 7:29 ` [patch 05/12] PPC: Revert "Dont complain if size-cells == 0 in prom_parse()" Greg KH
2007-08-14 7:29 ` [patch 07/12] powerpc: Fix size check for hugetlbfs Greg KH
2007-08-14 7:29 ` Greg KH
2007-08-14 7:56 ` David Gibson
2007-08-14 7:56 ` David Gibson
2007-08-14 7:29 ` [patch 06/12] PPC: Revert "Add mdio to bus scan id list for platforms with QE UEC" Greg KH
2007-08-14 7:29 ` [patch 08/12] direct-io: fix error-path crashes Greg KH
2007-08-14 7:29 ` [patch 12/12] CPUFREQ: ondemand: add a check to avoid negative load calculation Greg KH
2007-08-14 7:29 ` [patch 11/12] CPUFREQ: ondemand: fix tickless accounting and software coordination bug Greg KH
2007-08-14 7:29 ` [patch 10/12] pata_atiixp: add SB700 PCI ID Greg KH
2007-08-14 7:29 ` [patch 09/12] stifb: detect cards in double buffer mode more reliably Greg KH
2007-08-14 16:13 ` [patch 00/12] 2.6.22-stable review Prakash Punnoor
2007-08-14 16:04 ` Greg KH
2007-08-14 17:02 ` Prakash Punnoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070814072850.GC15025@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chrisw@sous-sol.org \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=mpm@selenic.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=security@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.