github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 06:25:52 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e779279da7
linux/drivers/char
History
Theodore Ts'o 93f84c8864 random: strengthen input validation for RNDADDTOENTCNT 
commit 86a574de45 upstream.

Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value.  It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:

random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[<      none
 >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
 [<     inline     >] credit_entropy_bits_safe drivers/char/random.c:734
 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---

This was triggered using the test program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}

It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.

Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-08-16 09:30:49 +02:00
..
agp agp/uninorth: fix a memleak in create_gatt_table 2015-10-02 22:57:59 +10:00
hw_random hwrng: exynos - Fix unbalanced PM runtime put on timeout error path 2016-06-07 18:14:33 -07:00
ipmi ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() 2016-07-27 09:47:32 -07:00
mwave
pcmcia tty: Remove ASYNC_CLOSING checks in open()/hangup() methods 2015-10-17 21:11:29 -07:00
tpm tpm: fix the cleanup of struct tpm_chip 2016-04-12 09:08:47 -07:00
xilinx_hwicap char:xilinx_hwicap:buffer_icap - change 1/0 to true/false for bool type variable in function buffer_icap_set_configuration(). 2015-06-12 16:58:33 -07:00
xillybus char: xillybus: Allow 64-bit DMA on PCIe interface 2015-08-05 12:27:09 -07:00
apm-emulation.c
applicom.c
applicom.h
bfin-otp.c
bsr.c bsr: avoid format string leaking into device name 2014-07-09 16:59:15 -07:00
ds1302.c
ds1620.c
dsp56k.c drivers/char/dsp56k.c: drop check for negativity of unsigned parameter 2014-07-17 18:38:37 -07:00
dtlk.c
efirtc.c drivers/char: make efirtc.c driver explicitly non-modular 2015-09-20 19:32:35 -07:00
generic_nvram.c
genrtc.c
hangcheck-timer.c hangcheck-timer: cleanup casting in hangcheck_init() 2014-11-07 11:24:01 -08:00
hpet.c drivers/char: make hpet.c explicitly non-modular 2015-09-20 19:32:35 -07:00
Kconfig drivers/char: Remove msm_smd_pkt driver 2015-05-24 12:24:35 -07:00
lp.c
Makefile hwmon: Rename i8k driver to dell-smm-hwmon and move it to hwmon tree 2015-05-24 12:48:12 -07:00
mbcs.c
mbcs.h
mem.c switch drivers/char/mem.c to ->read_iter/->write_iter 2015-04-11 22:29:40 -04:00
misc.c char: make misc_deregister a void function 2015-08-05 10:35:49 -07:00
mmtimer.c
mspec.c
nsc_gpio.c
nvram.c char/nvram: Use bitwise OR to obtain Atari video mode data 2015-08-05 13:30:16 -07:00
nwbutton.c
nwbutton.h
nwflash.c
pc8736x_gpio.c
ppdev.c
ps3flash.c
random.c random: strengthen input validation for RNDADDTOENTCNT 2016-08-16 09:30:49 +02:00
raw.c writeback: separate out include/linux/backing-dev-defs.h 2015-06-02 08:33:34 -06:00
rtc.c
scx200_gpio.c
snsc_event.c
snsc.c drivers/char: make SGI snsc.c driver explicitly non-modular 2015-09-20 19:32:35 -07:00
snsc.h
sonypi.c char: drop owner assignment from platform_drivers 2014-10-20 16:20:19 +02:00
tb0219.c char: drop owner assignment from platform_drivers 2014-10-20 16:20:19 +02:00
tile-srom.c fs: move struct kiocb to fs.h 2015-03-25 20:28:11 -04:00
tlclk.c
toshiba.c toshiba laptop: replace ioremap_cache with ioremap 2015-08-05 17:26:00 -07:00
ttyprintk.c
uv_mmtimer.c
virtio_console.c virtio_console: silence a static checker warning 2015-05-24 12:24:35 -07:00