diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2013-09-17 15:57:07 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2013-09-17 15:57:07 -0400 |
commit | 2c51e4c93181056d42b2b067745ab2fd29a05910 (patch) | |
tree | 00ab8f85b182e43f695c56b465d1d615a3723b0c | |
parent | 39941060c1c3886af3e0b5b236e3c050db0634b6 (diff) | |
download | kernel-2c51e4c93181056d42b2b067745ab2fd29a05910.tar.gz kernel-2c51e4c93181056d42b2b067745ab2fd29a05910.tar.xz kernel-2c51e4c93181056d42b2b067745ab2fd29a05910.zip |
CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
-rw-r--r-- | ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 49 insertions, 0 deletions
diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch new file mode 100644 index 000000000..c8d015491 --- /dev/null +++ b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch @@ -0,0 +1,40 @@ +Stephan Mueller reported to me recently a error in random number generation in +the ansi cprng. If several small requests are made that are less than the +instances block size, the remainder for loop code doesn't increment +rand_data_valid in the last iteration, meaning that the last bytes in the +rand_data buffer gets reused on the subsequent smaller-than-a-block request for +random data. + +The fix is pretty easy, just re-code the for loop to make sure that +rand_data_valid gets incremented appropriately + +Signed-off-by: Neil Horman <nhorman@tuxdriver.com> +Reported-by: Stephan Mueller <stephan.mueller@atsec.com> +CC: Stephan Mueller <stephan.mueller@atsec.com> +CC: Petr Matousek <pmatouse@redhat.com> +CC: Herbert Xu <herbert@gondor.apana.org.au> +CC: "David S. Miller" <davem@davemloft.net> +--- + crypto/ansi_cprng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c +index c0bb377..666f196 100644 +--- a/crypto/ansi_cprng.c ++++ b/crypto/ansi_cprng.c +@@ -230,11 +230,11 @@ remainder: + */ + if (byte_count < DEFAULT_BLK_SZ) { + empty_rbuf: +- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; +- ctx->rand_data_valid++) { ++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { + *ptr = ctx->rand_data[ctx->rand_data_valid]; + ptr++; + byte_count--; ++ ctx->rand_data_valid++; + if (byte_count == 0) + goto done; + } +-- +1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 125e6ef6b..65bfc0afd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -767,6 +767,9 @@ Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch #CVE-2013-4350 rhbz 1007872 1007903 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +#CVE-2013-4345 rhbz 1007690 1009136 +Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch + Patch25103: fix-arm-btrfs-build.patch # END OF PATCH DEFINITIONS @@ -1498,6 +1501,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch #CVE-2013-4350 rhbz 1007872 1007903 ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +#CVE-2013-4345 rhbz 1007690 1009136 +ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch + # END OF PATCH APPLICATIONS %endif @@ -2302,6 +2308,9 @@ fi # ||----w | # || || %changelog +* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) + * Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com> - Add nvme.ko to modules.block for anaconda. |