A read of 2^32 bytes can trigger an endless loop in randomread(), due to
integer truncation when passing a size_t argument to min(). There is a
similar issue in randomwrite().

The diff included below is a minimal version of a similar diff I've sent
to tech@ some months ago, but with peripheral changes, like converting
uiomovei() to uiomove() or adding unnecessary casts, removed. This
should make the diff easier to review.

See http://marc.info/?l=openbsd-tech&m=142850699715734 for reference.

Index: dev/rnd.c
===================================================================
RCS file: /cvs/src/sys/dev/rnd.c,v
retrieving revision 1.176
diff -u -p -r1.176 rnd.c
--- dev/rnd.c   27 Oct 2015 11:13:06 -0000      1.176
+++ dev/rnd.c   26 Dec 2015 10:26:09 -0000
@@ -840,7 +840,7 @@ randomread(dev_t dev, struct uio *uio, i
        }
 
        while (ret == 0 && uio->uio_resid > 0) {
-               int     n = min(POOLBYTES, uio->uio_resid);
+               int     n = ulmin(POOLBYTES, uio->uio_resid);
 
                if (myctx) {
 #ifndef KEYSTREAM_ONLY
@@ -872,7 +872,7 @@ randomwrite(dev_t dev, struct uio *uio, 
        buf = malloc(POOLBYTES, M_TEMP, M_WAITOK);
 
        while (ret == 0 && uio->uio_resid > 0) {
-               int     n = min(POOLBYTES, uio->uio_resid);
+               int     n = ulmin(POOLBYTES, uio->uio_resid);
 
                ret = uiomovei(buf, n, uio);
                if (ret != 0)


cheers,
natano

Reply via email to