CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)

This commit is contained in:
Josh Boyer 2013-09-17 15:57:07 -04:00
parent 39941060c1
commit 2c51e4c931
2 changed files with 49 additions and 0 deletions

View File

@ -0,0 +1,40 @@
Stephan Mueller reported to me recently a error in random number generation in
the ansi cprng. If several small requests are made that are less than the
instances block size, the remainder for loop code doesn't increment
rand_data_valid in the last iteration, meaning that the last bytes in the
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
random data.
The fix is pretty easy, just re-code the for loop to make sure that
rand_data_valid gets incremented appropriately
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
CC: Stephan Mueller <stephan.mueller@atsec.com>
CC: Petr Matousek <pmatouse@redhat.com>
CC: Herbert Xu <herbert@gondor.apana.org.au>
CC: "David S. Miller" <davem@davemloft.net>
---
crypto/ansi_cprng.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index c0bb377..666f196 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -230,11 +230,11 @@ remainder:
*/
if (byte_count < DEFAULT_BLK_SZ) {
empty_rbuf:
- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
- ctx->rand_data_valid++) {
+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
*ptr = ctx->rand_data[ctx->rand_data_valid];
ptr++;
byte_count--;
+ ctx->rand_data_valid++;
if (byte_count == 0)
goto done;
}
--
1.8.3.1

View File

@ -767,6 +767,9 @@ Patch25100: tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
#CVE-2013-4345 rhbz 1007690 1009136
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
Patch25103: fix-arm-btrfs-build.patch
# END OF PATCH DEFINITIONS
@ -1498,6 +1501,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
#CVE-2013-4345 rhbz 1007690 1009136
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
# END OF PATCH APPLICATIONS
%endif
@ -2302,6 +2308,9 @@ fi
# ||----w |
# || ||
%changelog
* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
* Tue Sep 17 2013 Kyle McMartin <kyle@redhat.com>
- Add nvme.ko to modules.block for anaconda.