diff options
author | Matt Mackall <mpm@selenic.com> | 2007-07-15 17:10:14 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2007-08-15 09:25:09 -0700 |
commit | c712842ef701361ed3ee0f50f15797d7369b6628 (patch) | |
tree | b60cdfdcf3481f42ba94e8640cc37b2db3b55d9f | |
parent | 8adcb4c72176a326b61bbc0a7924d869e52cb116 (diff) | |
download | lwn-c712842ef701361ed3ee0f50f15797d7369b6628.tar.gz lwn-c712842ef701361ed3ee0f50f15797d7369b6628.zip |
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/char/random.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 7f5271272f91..397c714cf2ba 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -693,9 +693,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes) if (r->pull && r->entropy_count < nbytes * 8 && r->entropy_count < r->poolinfo->POOLBITS) { - int bytes = max_t(int, random_read_wakeup_thresh / 8, - min_t(int, nbytes, sizeof(tmp))); + /* If we're limited, always leave two wakeup worth's BITS */ int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; + int bytes = nbytes; + + /* pull at least as many as BYTES as wakeup BITS */ + bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); + /* but never more than the buffer size */ + bytes = min_t(int, bytes, sizeof(tmp)); DEBUG_ENT("going to reseed %s with %d bits " "(%d of %d requested)\n", |