tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

random: fix bound check ordering (CVE-2007-3105)

If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.

(Bug reported by the PaX Team <pageexec@freemail.hu>)

Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Matt Mackall and committed by Linus Torvalds 5a021e9f f745bb1c

+7 -2
unified split
+7 -2
drivers/char/random.c
··· 693 693 694 694 if (r->pull && r->entropy_count < nbytes * 8 && 695 695 r->entropy_count < r->poolinfo->POOLBITS) { 696 - int bytes = max_t(int, random_read_wakeup_thresh / 8, 697 - min_t(int, nbytes, sizeof(tmp))); 696 + /* If we're limited, always leave two wakeup worth's BITS */ 698 697 int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; 698 + int bytes = nbytes; 699 + 700 + /* pull at least as many as BYTES as wakeup BITS */ 701 + bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); 702 + /* but never more than the buffer size */ 703 + bytes = min_t(int, bytes, sizeof(tmp)); 699 704 700 705 DEBUG_ENT("going to reseed %s with %d bits " 701 706 "(%d of %d requested)\n",