[kernel/f20] CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
Josh Boyer
jwboyer at fedoraproject.org
Tue Sep 17 20:04:59 UTC 2013
commit 4d7ada78a64c86789836f5153962a45693b4d9a6
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue Sep 17 15:57:07 2013 -0400
CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
...ff-by-one-error-in-non-block-size-request.patch | 40 ++++++++++++++++++++
kernel.spec | 9 ++++
2 files changed, 49 insertions(+), 0 deletions(-)
---
diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
new file mode 100644
index 0000000..c8d0154
--- /dev/null
+++ b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
@@ -0,0 +1,40 @@
+Stephan Mueller reported to me recently a error in random number generation in
+the ansi cprng. If several small requests are made that are less than the
+instances block size, the remainder for loop code doesn't increment
+rand_data_valid in the last iteration, meaning that the last bytes in the
+rand_data buffer gets reused on the subsequent smaller-than-a-block request for
+random data.
+
+The fix is pretty easy, just re-code the for loop to make sure that
+rand_data_valid gets incremented appropriately
+
+Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
+Reported-by: Stephan Mueller <stephan.mueller at atsec.com>
+CC: Stephan Mueller <stephan.mueller at atsec.com>
+CC: Petr Matousek <pmatouse at redhat.com>
+CC: Herbert Xu <herbert at gondor.apana.org.au>
+CC: "David S. Miller" <davem at davemloft.net>
+---
+ crypto/ansi_cprng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index c0bb377..666f196 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ */
+ if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+- ctx->rand_data_valid++) {
++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ *ptr = ctx->rand_data[ctx->rand_data_valid];
+ ptr++;
+ byte_count--;
++ ctx->rand_data_valid++;
+ if (byte_count == 0)
+ goto done;
+ }
+--
+1.8.3.1
diff --git a/kernel.spec b/kernel.spec
index 7799d3d..6629d53 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -791,6 +791,9 @@ Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
+#CVE-2013-4345 rhbz 1007690 1009136
+Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1540,6 +1543,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
#CVE-2013-4350 rhbz 1007872 1007903
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
+#CVE-2013-4345 rhbz 1007690 1009136
+ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2342,6 +2348,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Sep 17 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
+
* Tue Sep 17 2013 Kyle McMartin <kyle at redhat.com>
- Add nvme.ko to modules.block for anaconda.
More information about the scm-commits
mailing list