Author: dannf Date: Thu Feb 14 04:48:54 2008 New Revision: 10541 Log: * random-bound-check-ordering.dpatch [SECURITY] Fix stack-based buffer overflow in the random number generator See CVE-2007-3105
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 04:48:54 2008 @@ -65,8 +65,12 @@ [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 + * random-bound-check-ordering.dpatch + [SECURITY] Fix stack-based buffer overflow in the random number + generator + See CVE-2007-3105 - -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 21:18:45 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 21:46:22 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch Thu Feb 14 04:48:54 2008 @@ -0,0 +1,42 @@ +From: Matt Mackall <[EMAIL PROTECTED]> +Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700) +Subject: random: fix bound check ordering (CVE-2007-3105) +X-Git-Tag: v2.6.23-rc1~259 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd + +random: fix bound check ordering (CVE-2007-3105) + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team <[EMAIL PROTECTED]>) + +Cc: Theodore Tso <[EMAIL PROTECTED]> +Cc: Willy Tarreau <[EMAIL PROTECTED]> +Signed-off-by: Matt Mackall <[EMAIL PROTECTED]> +Signed-off-by: Chris Wright <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c +--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.000000000 -0600 ++++ kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.000000000 -0700 +@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s + { + if (r->entropy_count < nbytes * 8 && + r->entropy_count < r->poolinfo.POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, TMP_BUF_SIZE)); ++ /* If we're limited, always leave two wakeup worth's BITS */ ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, TMP_BUF_SIZE); + + DEBUG_ENT("%04d %04d : going to reseed %s with %d bits " + "(%d of %d requested)\n", Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 04:48:54 2008 @@ -17,3 +17,4 @@ + amd64-zero-extend-32bit-ptrace.dpatch + usb-pwc-disconnect-block.dpatch + powerpc-chrp-null-deref.dpatch ++ random-bound-check-ordering.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes