From: Anton Arapov <aarapov@redhat.com> Subject: [RHEL5.1 PATCH] BZ275971: CVE-2007-3105 Bound check ordering issue in random driver Date: Wed, 05 Sep 2007 10:56:46 +0200 Bugzilla: 275971 Message-Id: <h8r6ldqylt.fsf@pepelac.englab.brq.redhat.com> Changelog: [misc] Bounds check ordering issue in random driver BZ#275971: https://bugzilla.redhat.com/show_bug.cgi?id=275971 Description: If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. Upstream status: commit# 5a021e9ffd56c22700133ebc37d607f95be8f7bd http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd Test status: Kernel has been tested for compilation and boot. http://porkchop.redhat.com/brewroot/cratch/aarapov/task_951386/ Notice: BZ275951 - RHEL4.6 Clone of this bug == diff -urpN linux-2.6.18.noarch.orig/drivers/char/random.c linux-2.6.18.noarch/drivers/char/random.c --- linux-2.6.18.noarch.orig/drivers/char/random.c 2007-09-05 07:06:41.000000000 +0200 +++ linux-2.6.18.noarch/drivers/char/random.c 2007-09-05 07:08:34.000000000 +0200 @@ -690,9 +690,14 @@ static void xfer_secondary_pool(struct e if (r->pull && r->entropy_count < nbytes * 8 && r->entropy_count < r->poolinfo->POOLBITS) { - int bytes = max_t(int, random_read_wakeup_thresh / 8, - min_t(int, nbytes, sizeof(tmp))); + /* If we're limited, always leave two wakeup worth's BITS */ int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4; + int bytes = nbytes; + + /* pull at least as many as BYTES as wakeup BITS */ + bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); + /* but never more than the buffer size */ + bytes = min_t(int, bytes, sizeof(tmp)); DEBUG_ENT("going to reseed %s with %d bits " "(%d of %d requested)\n", -- Anton Arapov, <aarapov@redhat.com> Kernel Development, Red Hat GPG Key ID: 0x6FA8C812