diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:26:31 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:26:31 +0200 |
commit | 6a68947178d47c7e473a0a4a25d73be51a252803 (patch) | |
tree | 999fcb4391b6b852cc78e6c45debed1815a039fc | |
parent | 53fccbc963044818e6f5afb73c09bf91a88518a3 (diff) | |
download | enea-kernel-cache-6a68947178d47c7e473a0a4a25d73be51a252803.tar.gz |
random: CVE-2018-1108
random: fix crng_ready() test
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4dfb3442bb7e1fb80515df4a199ca5a7a8edf900
Change-Id: Ibd02ab7de61291eef85169c12cf5e7a97cb60604
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch | 84 |
2 files changed, 87 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 4dad7d1..788052b 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -3,3 +3,6 @@ patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | |||
3 | 3 | ||
4 | #CVEs fixed in 4.9.91: | 4 | #CVEs fixed in 4.9.91: |
5 | SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch" | 5 | SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch" |
6 | |||
7 | #CVEs fixed in 4.9.96: | ||
8 | SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch" | ||
diff --git a/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch b/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch new file mode 100644 index 0000000..4f7297b --- /dev/null +++ b/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 4dfb3442bb7e1fb80515df4a199ca5a7a8edf900 Mon Sep 17 00:00:00 2001 | ||
2 | From: Theodore Ts'o <tytso@mit.edu> | ||
3 | Date: Wed, 11 Apr 2018 13:27:52 -0400 | ||
4 | Subject: [PATCH] random: fix crng_ready() test | ||
5 | |||
6 | commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream. | ||
7 | |||
8 | The crng_init variable has three states: | ||
9 | |||
10 | 0: The CRNG is not initialized at all | ||
11 | 1: The CRNG has a small amount of entropy, hopefully good enough for | ||
12 | early-boot, non-cryptographical use cases | ||
13 | 2: The CRNG is fully initialized and we are sure it is safe for | ||
14 | cryptographic use cases. | ||
15 | |||
16 | The crng_ready() function should only return true once we are in the | ||
17 | last state. This addresses CVE-2018-1108. | ||
18 | |||
19 | Reported-by: Jann Horn <jannh@google.com> | ||
20 | Fixes: e192be9d9a30 ("random: replace non-blocking pool...") | ||
21 | Cc: stable@kernel.org # 4.8+ | ||
22 | |||
23 | CVE: CVE-2018-1108 | ||
24 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4dfb3442bb7e1fb80515df4a199ca5a7a8edf900] | ||
25 | |||
26 | Signed-off-by: Theodore Ts'o <tytso@mit.edu> | ||
27 | Reviewed-by: Jann Horn <jannh@google.com> | ||
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
29 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
30 | --- | ||
31 | drivers/char/random.c | 10 +++++----- | ||
32 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
33 | |||
34 | diff --git a/drivers/char/random.c b/drivers/char/random.c | ||
35 | index cf1b91e33a28..4f82fe0789e4 100644 | ||
36 | --- a/drivers/char/random.c | ||
37 | +++ b/drivers/char/random.c | ||
38 | @@ -434,7 +434,7 @@ struct crng_state primary_crng = { | ||
39 | * its value (from 0->1->2). | ||
40 | */ | ||
41 | static int crng_init = 0; | ||
42 | -#define crng_ready() (likely(crng_init > 0)) | ||
43 | +#define crng_ready() (likely(crng_init > 1)) | ||
44 | static int crng_init_cnt = 0; | ||
45 | #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) | ||
46 | static void _extract_crng(struct crng_state *crng, | ||
47 | @@ -800,7 +800,7 @@ static int crng_fast_load(const char *cp, size_t len) | ||
48 | |||
49 | if (!spin_trylock_irqsave(&primary_crng.lock, flags)) | ||
50 | return 0; | ||
51 | - if (crng_ready()) { | ||
52 | + if (crng_init != 0) { | ||
53 | spin_unlock_irqrestore(&primary_crng.lock, flags); | ||
54 | return 0; | ||
55 | } | ||
56 | @@ -872,7 +872,7 @@ static void _extract_crng(struct crng_state *crng, | ||
57 | { | ||
58 | unsigned long v, flags; | ||
59 | |||
60 | - if (crng_init > 1 && | ||
61 | + if (crng_ready() && | ||
62 | time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) | ||
63 | crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); | ||
64 | spin_lock_irqsave(&crng->lock, flags); | ||
65 | @@ -1153,7 +1153,7 @@ void add_interrupt_randomness(int irq, int irq_flags) | ||
66 | fast_mix(fast_pool); | ||
67 | add_interrupt_bench(cycles); | ||
68 | |||
69 | - if (!crng_ready()) { | ||
70 | + if (unlikely(crng_init == 0)) { | ||
71 | if ((fast_pool->count >= 64) && | ||
72 | crng_fast_load((char *) fast_pool->pool, | ||
73 | sizeof(fast_pool->pool))) { | ||
74 | @@ -2148,7 +2148,7 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, | ||
75 | { | ||
76 | struct entropy_store *poolp = &input_pool; | ||
77 | |||
78 | - if (!crng_ready()) { | ||
79 | + if (unlikely(crng_init == 0)) { | ||
80 | crng_fast_load(buffer, count); | ||
81 | return; | ||
82 | } | ||
83 | |||
84 | |||