CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
This commit is contained in:
Josh Boyer
parent
39941060c1
commit
2c51e4c931
@ -0,0 +1,40 @@
|
|||||||
|
Stephan Mueller reported to me recently a error in random number generation in
|
||||||
|
the ansi cprng. If several small requests are made that are less than the
|
||||||
|
instances block size, the remainder for loop code doesn't increment
|
||||||
|
rand_data_valid in the last iteration, meaning that the last bytes in the
|
||||||
|
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
|
||||||
|
random data.
|
||||||
|
|
||||||
|
The fix is pretty easy, just re-code the for loop to make sure that
|
||||||
|
rand_data_valid gets incremented appropriately
|
||||||
|
|
||||||
|
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
|
||||||
|
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
|
||||||
|
CC: Stephan Mueller <stephan.mueller@atsec.com>
|
||||||
|
CC: Petr Matousek <pmatouse@redhat.com>
|
||||||
|
CC: Herbert Xu <herbert@gondor.apana.org.au>
|
||||||
|
CC: "David S. Miller" <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
crypto/ansi_cprng.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
|
||||||
|
index c0bb377..666f196 100644
|
||||||
|
--- a/crypto/ansi_cprng.c
|
||||||
|
+++ b/crypto/ansi_cprng.c
|
||||||
|
@@ -230,11 +230,11 @@ remainder:
|
||||||
|
*/
|
||||||
|
if (byte_count < DEFAULT_BLK_SZ) {
|
||||||
|
empty_rbuf:
|
||||||
|
- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
|
||||||
|
- ctx->rand_data_valid++) {
|
||||||
|
+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
|
||||||
|
*ptr = ctx->rand_data[ctx->rand_data_valid];
|
||||||
|
ptr++;
|
||||||
|
byte_count--;
|
||||||
|
+ ctx->rand_data_valid++;
|
||||||
|
if (byte_count == 0)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
@ -767,6 +767,9 @@ Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch
|
|||||||
#CVE-2013-4350 rhbz 1007872 1007903
|
#CVE-2013-4350 rhbz 1007872 1007903
|
||||||
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
||||||
|
|
||||||
|
#CVE-2013-4345 rhbz 1007690 1009136
|
||||||
|
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||||
|
|
||||||
Patch25103: fix-arm-btrfs-build.patch
|
Patch25103: fix-arm-btrfs-build.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
@ -1498,6 +1501,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
|
|||||||
#CVE-2013-4350 rhbz 1007872 1007903
|
#CVE-2013-4350 rhbz 1007872 1007903
|
||||||
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
||||||
|
|
||||||
|
#CVE-2013-4345 rhbz 1007690 1009136
|
||||||
|
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2302,6 +2308,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
|
||||||
|
|
||||||
* Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com>
|
* Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com>
|
||||||
- Add nvme.ko to modules.block for anaconda.
|
- Add nvme.ko to modules.block for anaconda.
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user