random: fix bound check ordering (CVE-2007-3105) If root raised the default wakeup threshold over the size of the output pool, the pool transfer function could overflow the stack with RNG bytes, causing a DoS or potential privilege escalation. (Bug reported by the PaX Team <pageexec@freemail.hu>) Cc: Theodore Tso <tytso@mit.edu> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Matt Mackall <mpm@selenic.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 5a021e9ffd56c22700133ebc37d607f95be8f7bd [log] [tgz]
author: Matt Mackall <mpm@selenic.com> Thu Jul 19 11:30:14 2007 -0700
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> Thu Jul 19 14:21:04 2007 -0700
tree: 0d289c7feec4e7b3b19c7c312e8cb31532c5b9c9
parent: f745bb1c73e2395e6b9961d4d915a8f8e2cd32cd [diff] [blame]
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 7f52712..397c714 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c

@@ -693,9 +693,14 @@
 
 	if (r->pull && r->entropy_count < nbytes * 8 &&
 	    r->entropy_count < r->poolinfo->POOLBITS) {
-		int bytes = max_t(int, random_read_wakeup_thresh / 8,
-				min_t(int, nbytes, sizeof(tmp)));
+		/* If we're limited, always leave two wakeup worth's BITS */
 		int rsvd = r->limit ? 0 : random_read_wakeup_thresh/4;
+		int bytes = nbytes;
+
+		/* pull at least as many as BYTES as wakeup BITS */
+		bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
+		/* but never more than the buffer size */
+		bytes = min_t(int, bytes, sizeof(tmp));
 
 		DEBUG_ENT("going to reseed %s with %d bits "
 			  "(%d of %d requested)\n",
commit	5a021e9ffd56c22700133ebc37d607f95be8f7bd	[log] [tgz]
author	Matt Mackall <mpm@selenic.com>	Thu Jul 19 11:30:14 2007 -0700
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	Thu Jul 19 14:21:04 2007 -0700
tree	0d289c7feec4e7b3b19c7c312e8cb31532c5b9c9
parent	f745bb1c73e2395e6b9961d4d915a8f8e2cd32cd [diff] [blame]