random: fix bound check ordering (CVE-2007-3105)

If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team <pageexec@freemail.hu>) Signed-off-by: Matt Mackall <mpm@selenic.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>

random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team <pageexec@freemail.hu>) Signed-off-by: Matt Mackall <mpm@selenic.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
47d9c776 · Matt Mackall · Adrian Bunk · 46f6fdb6 · 47d9c776
Commit 47d9c776 authored Oct 07, 2007 by Matt Mackall Committed by Adrian Bunk Oct 07, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

drivers/char/random.c drivers/char/random.c +7 -2

No files found.
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -691,9 +691,14 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)

 	if (r->pull && r->entropy_count < nbytes * 8 &&
 	    r->entropy_count < r->poolinfo->POOLBITS) {
-		int bytes = max_t(int, random_read_wakeup_thresh / 8,
-				min_t(int, nbytes, sizeof(tmp)));
+		/* If we're limited, always leave two wakeup worth's BITS */
 		int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+		int bytes = nbytes;
+
+		/* pull at least as many as BYTES as wakeup BITS */
+		bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+		/* but never more than the buffer size */
+		bytes = min_t(int, bytes, sizeof(tmp));

 		DEBUG_ENT("going to reseed %s with %d bits "
 			  "(%d of %d requested)\n",