From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Theodore Tso <tytso@mit.edu>
Subject: [PATCH 4.6 22/56] random: strengthen input validation for RNDADDTOENTCNT
Date: Sun, 14 Aug 2016 22:37:26 +0200 [thread overview]
Message-ID: <20160814202505.841664697@linuxfoundation.org> (raw)
In-Reply-To: <20160814202504.908694181@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec upstream.
Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value. It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:
random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none
>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
[<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
[<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
[<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
[< inline >] credit_entropy_bits_safe drivers/char/random.c:734
[<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---
This was triggered using the test program:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
int main() {
int fd = open("/dev/random", O_RDWR);
int val = -5000;
ioctl(fd, RNDADDTOENTCNT, &val);
return 0;
}
It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.
Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/random.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -722,15 +722,18 @@ retry:
}
}
-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
{
const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+ if (nbits < 0)
+ return -EINVAL;
+
/* Cap the value to avoid overflows */
nbits = min(nbits, nbits_max);
- nbits = max(nbits, -nbits_max);
credit_entropy_bits(r, nbits);
+ return 0;
}
/*********************************************************************
@@ -1542,8 +1545,7 @@ static long random_ioctl(struct file *f,
return -EPERM;
if (get_user(ent_count, p))
return -EFAULT;
- credit_entropy_bits_safe(&input_pool, ent_count);
- return 0;
+ return credit_entropy_bits_safe(&input_pool, ent_count);
case RNDADDENTROPY:
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
@@ -1557,8 +1559,7 @@ static long random_ioctl(struct file *f,
size);
if (retval < 0)
return retval;
- credit_entropy_bits_safe(&input_pool, ent_count);
- return 0;
+ return credit_entropy_bits_safe(&input_pool, ent_count);
case RNDZAPENTCNT:
case RNDCLEARPOOL:
/*
next prev parent reply other threads:[~2016-08-14 20:37 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814203815uscas1p2549802c8af27d2aa233de8bce43fe3ee@uscas1p2.samsung.com>
2016-08-14 20:37 ` [PATCH 4.6 00/56] 4.6.7-stable review Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 01/56] libnvdimm, dax: record the specified alignment of a dax-device instance Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 02/56] libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 03/56] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 04/56] tcp: make challenge acks less predictable Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 05/56] tcp: enable per-socket rate limiting of all challenge acks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 06/56] bonding: set carrier off for devices created through netlink Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 07/56] net: bgmac: Fix infinite loop in bgmac_dma_tx_add() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 08/56] vlan: use a valid default mtu value for vlan over macsec Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 09/56] bridge: Fix incorrect re-injection of LLDP packets Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 10/56] net: ipv6: Always leave anycast and multicast groups on link down Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 11/56] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 12/56] qed: Fix setting/clearing bit in completion bitmap Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 13/56] macsec: ensure rx_sa is set when validation is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 14/56] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 16/56] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 17/56] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 18/56] IB/hfi1: Correct issues with sc5 computation Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 19/56] IB/hfi1: Fix deadlock with txreq allocation slow path Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 20/56] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 21/56] regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed Greg Kroah-Hartman
2016-08-14 20:37 ` Greg Kroah-Hartman [this message]
2016-08-14 20:37 ` [PATCH 4.6 23/56] x86/mm/pat: Add support of non-default PAT MSR setting Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 24/56] x86/mm/pat: Add pat_disable() interface Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 25/56] x86/mm/pat: Replace cpu_has_pat with boot_cpu_has() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 26/56] x86/mtrr: Fix Xorg crashes in Qemu sessions Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 27/56] x86/mtrr: Fix PAT init handling when MTRR is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 28/56] x86/xen, pat: Remove PAT table init code from Xen Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 29/56] x86/pat: Document the PAT initialization sequence Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 30/56] x86/mm/pat: Fix BUG_ON() in mmap_mem() on QEMU/i386 Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 31/56] udf: Prevent stack overflow on corrupted filesystem mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 32/56] powerpc/eeh: Fix invalid cached PE primary bus Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 33/56] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 34/56] mm: memcontrol: fix swap counter leak on swapout from offline cgroup Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 35/56] mm: memcontrol: fix memcg id ref counter on swap charge move Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 36/56] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 37/56] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 38/56] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 39/56] radix-tree: account nodes to memcg only if explicitly requested Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 40/56] x86/microcode: Fix suspend to RAM with builtin microcode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 41/56] x86/power/64: Fix hibernation return address corruption Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 42/56] fuse: fsync() did not return IO errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 43/56] fuse: fuse_flush must check mapping->flags for errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 44/56] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 45/56] Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 46/56] fs/dcache.c: avoid soft-lockup in dput() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 47/56] Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 48/56] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 49/56] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 50/56] serial: mvebu-uart: free the IRQ in ->shutdown() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 51/56] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 52/56] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 53/56] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 54/56] ext4: validate s_reserved_gdt_blocks on mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 55/56] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.6 56/56] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
2016-08-15 13:07 ` [PATCH 4.6 00/56] 4.6.7-stable review Guenter Roeck
2016-08-16 4:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160814202505.841664697@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).