[feisty][PATCH] random-fix-error-in-entropy-extraction (CVE-2007-2453)

Tue Jun 5 13:00:22 UTC 2007

>From b5124b791df8b5104554dcc4552296681d91898f Mon Sep 17 00:00:00 2001
From: Matt Mackall <mpm at selenic.com>
Date: Tue, 29 May 2007 21:58:10 -0500
Subject: [PATCH] random: fix seeding with zero entropy (CVE-2007-2453)

Add data from zero-entropy random_writes directly to output pools to
avoid accounting difficulties on machines without entropy sources.

Tested on lguest with all entropy sources disabled.

Signed-off-by: Matt Mackall <mpm at selenic.com>
Acked-by: "Theodore Ts'o" <tytso at mit.edu>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit 7f397dcdb78d699a20d96bfcfb595a2411a5bbd2)
---
 drivers/char/random.c |   55 +++++++++++++++++++++++++++---------------------
 1 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index c7f6093..263e5e5 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1024,37 +1024,44 @@ random_poll(struct file *file, poll_table * wait)
 	return mask;
 }
 
-static ssize_t
-random_write(struct file * file, const char __user * buffer,
-	     size_t count, loff_t *ppos)
+static int
+write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 {
-	int ret = 0;
 	size_t bytes;
 	__u32 buf[16];
 	const char __user *p = buffer;
-	size_t c = count;
 
-	while (c > 0) {
-		bytes = min(c, sizeof(buf));
+	while (count > 0) {
+		bytes = min(count, sizeof(buf));
+		if (copy_from_user(&buf, p, bytes))
+			return -EFAULT;
 
-		bytes -= copy_from_user(&buf, p, bytes);
-		if (!bytes) {
-			ret = -EFAULT;
-			break;
-		}
-		c -= bytes;
+		count -= bytes;
 		p += bytes;
 
-		add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
-	}
-	if (p == buffer) {
-		return (ssize_t)ret;
-	} else {
-		struct inode *inode = file->f_path.dentry->d_inode;
-	        inode->i_mtime = current_fs_time(inode->i_sb);
-		mark_inode_dirty(inode);
-		return (ssize_t)(p - buffer);
+		add_entropy_words(r, buf, (bytes + 3) / 4);
 	}
+
+	return 0;
+}
+
+static ssize_t
+random_write(struct file * file, const char __user * buffer,
+	     size_t count, loff_t *ppos)
+{
+	size_t ret;
+	struct inode *inode = file->f_path.dentry->d_inode;
+
+	ret = write_pool(&blocking_pool, buffer, count);
+	if (ret)
+		return ret;
+	ret = write_pool(&nonblocking_pool, buffer, count);
+	if (ret)
+		return ret;
+
+	inode->i_mtime = current_fs_time(inode->i_sb);
+	mark_inode_dirty(inode);
+	return (ssize_t)count;
 }
 
 static int
@@ -1093,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file,
 			return -EINVAL;
 		if (get_user(size, p++))
 			return -EFAULT;
-		retval = random_write(file, (const char __user *) p,
-				      size, &file->f_pos);
+		retval = write_pool(&input_pool, (const char __user *)p,
+				    size);
 		if (retval < 0)
 			return retval;
 		credit_entropy_store(&input_pool, ent_count);
-- 
1.4.4.2



