diff options
author | Matt Mackall <mpm@selenic.com> | 2007-05-29 21:58:10 -0500 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2007-06-07 14:23:04 -0700 |
commit | f5939fcd7378c7a26cc8101dff373c90d269d769 (patch) | |
tree | 044bce82d5872b8fa826498d2b50f3fbb7f9f99d | |
parent | 54bb290bb2bad45d45cae1399181a233ffbc487b (diff) |
[PATCH] random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
Add data from zero-entropy random_writes directly to output pools to
avoid accounting difficulties on machines without entropy sources.
Tested on lguest with all entropy sources disabled.
Signed-off-by: Matt Mackall <mpm@selenic.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
-rw-r--r-- | drivers/char/random.c | 55 |
1 files changed, 31 insertions, 24 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index c7f6093a35e..263e5e5f679 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1024,37 +1024,44 @@ random_poll(struct file *file, poll_table * wait) return mask; } -static ssize_t -random_write(struct file * file, const char __user * buffer, - size_t count, loff_t *ppos) +static int +write_pool(struct entropy_store *r, const char __user *buffer, size_t count) { - int ret = 0; size_t bytes; __u32 buf[16]; const char __user *p = buffer; - size_t c = count; - while (c > 0) { - bytes = min(c, sizeof(buf)); + while (count > 0) { + bytes = min(count, sizeof(buf)); + if (copy_from_user(&buf, p, bytes)) + return -EFAULT; - bytes -= copy_from_user(&buf, p, bytes); - if (!bytes) { - ret = -EFAULT; - break; - } - c -= bytes; + count -= bytes; p += bytes; - add_entropy_words(&input_pool, buf, (bytes + 3) / 4); - } - if (p == buffer) { - return (ssize_t)ret; - } else { - struct inode *inode = file->f_path.dentry->d_inode; - inode->i_mtime = current_fs_time(inode->i_sb); - mark_inode_dirty(inode); - return (ssize_t)(p - buffer); + add_entropy_words(r, buf, (bytes + 3) / 4); } + + return 0; +} + +static ssize_t +random_write(struct file * file, const char __user * buffer, + size_t count, loff_t *ppos) +{ + size_t ret; + struct inode *inode = file->f_path.dentry->d_inode; + + ret = write_pool(&blocking_pool, buffer, count); + if (ret) + return ret; + ret = write_pool(&nonblocking_pool, buffer, count); + if (ret) + return ret; + + inode->i_mtime = current_fs_time(inode->i_sb); + mark_inode_dirty(inode); + return (ssize_t)count; } static int @@ -1093,8 +1100,8 @@ random_ioctl(struct inode * inode, struct file * file, return -EINVAL; if (get_user(size, p++)) return -EFAULT; - retval = random_write(file, (const char __user *) p, - size, &file->f_pos); + retval = write_pool(&input_pool, (const char __user *)p, + size); if (retval < 0) return retval; credit_entropy_store(&input_pool, ent_count); |