mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix race in drivers/char/random.c:get_reg()

Browse source 
get_reg() can be reentered on architectures with prioritized interrupts
(m68k in this case), causing f->reg_index to be incremented after the
range check. Out of bounds memory access past the pt_regs struct results.
This will go mostly undetected unless access is beyond end of memory.

Prevent the race by disabling interrupts in get_reg().

Tested on m68k (Atari Falcon, and ARAnyM emulator).

Kudos to Geert Uytterhoeven for helping to trace this race.

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
This commit is contained in:
Michael Schmitz 2017-04-30 19:49:21 +12:00 committed by Theodore Ts'o
parent 08332893e3
commit 9dfa7bba35
1 changed files with 5 additions and 1 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/char/random.c
View file

@ -1097,12 +1097,16 @@ static void add_interrupt_bench(cycles_t start)
static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
{
__u32 *ptr = (__u32 *) regs;
unsigned long flags;
if (regs == NULL)
return 0;
local_irq_save(flags);
if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32))
f->reg_idx = 0;
return *(ptr + f->reg_idx++);
ptr += f->reg_idx++;
local_irq_restore(flags);
return *ptr;
}
void add_interrupt_randomness(int irq, int irq_flags)