forked from rpms/kernel
		
	CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
This commit is contained in:
		
							parent
							
								
									39941060c1
								
							
						
					
					
						commit
						2c51e4c931
					
				| @ -0,0 +1,40 @@ | ||||
| Stephan Mueller reported to me recently a error in random number generation in | ||||
| the ansi cprng. If several small requests are made that are less than the | ||||
| instances block size, the remainder for loop code doesn't increment | ||||
| rand_data_valid in the last iteration, meaning that the last bytes in the | ||||
| rand_data buffer gets reused on the subsequent smaller-than-a-block request for | ||||
| random data. | ||||
| 
 | ||||
| The fix is pretty easy, just re-code the for loop to make sure that | ||||
| rand_data_valid gets incremented appropriately | ||||
| 
 | ||||
| Signed-off-by: Neil Horman <nhorman@tuxdriver.com> | ||||
| Reported-by: Stephan Mueller <stephan.mueller@atsec.com> | ||||
| CC: Stephan Mueller <stephan.mueller@atsec.com> | ||||
| CC: Petr Matousek <pmatouse@redhat.com> | ||||
| CC: Herbert Xu <herbert@gondor.apana.org.au> | ||||
| CC: "David S. Miller" <davem@davemloft.net> | ||||
| ---
 | ||||
|  crypto/ansi_cprng.c | 4 ++-- | ||||
|  1 file changed, 2 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
 | ||||
| index c0bb377..666f196 100644
 | ||||
| --- a/crypto/ansi_cprng.c
 | ||||
| +++ b/crypto/ansi_cprng.c
 | ||||
| @@ -230,11 +230,11 @@ remainder:
 | ||||
|  	 */ | ||||
|  	if (byte_count < DEFAULT_BLK_SZ) { | ||||
|  empty_rbuf: | ||||
| -		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
 | ||||
| -			ctx->rand_data_valid++) {
 | ||||
| +		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
 | ||||
|  			*ptr = ctx->rand_data[ctx->rand_data_valid]; | ||||
|  			ptr++; | ||||
|  			byte_count--; | ||||
| +			ctx->rand_data_valid++;
 | ||||
|  			if (byte_count == 0) | ||||
|  				goto done; | ||||
|  		} | ||||
| -- 
 | ||||
| 1.8.3.1 | ||||
| @ -767,6 +767,9 @@ Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch | ||||
| #CVE-2013-4350 rhbz 1007872 1007903 | ||||
| Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch | ||||
| 
 | ||||
| #CVE-2013-4345 rhbz 1007690 1009136 | ||||
| Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch | ||||
| 
 | ||||
| Patch25103: fix-arm-btrfs-build.patch | ||||
| 
 | ||||
| # END OF PATCH DEFINITIONS | ||||
| @ -1498,6 +1501,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch | ||||
| #CVE-2013-4350 rhbz 1007872 1007903 | ||||
| ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch | ||||
| 
 | ||||
| #CVE-2013-4345 rhbz 1007690 1009136 | ||||
| ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch | ||||
| 
 | ||||
| # END OF PATCH APPLICATIONS | ||||
| 
 | ||||
| %endif | ||||
| @ -2302,6 +2308,9 @@ fi | ||||
| #                                    ||----w | | ||||
| #                                    ||     || | ||||
| %changelog | ||||
| * Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org> | ||||
| - CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) | ||||
| 
 | ||||
| * Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com> | ||||
| - Add nvme.ko to modules.block for anaconda. | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user