From 6a68947178d47c7e473a0a4a25d73be51a252803 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 26 Oct 2018 13:26:31 +0200 Subject: random: CVE-2018-1108 random: fix crng_ready() test Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4dfb3442bb7e1fb80515df4a199ca5a7a8edf900 Change-Id: Ibd02ab7de61291eef85169c12cf5e7a97cb60604 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 + .../CVE-2018-1108-random-fix-crng_ready-test.patch | 84 ++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 4dad7d1..788052b 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -3,3 +3,6 @@ patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch #CVEs fixed in 4.9.91: SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch" + +#CVEs fixed in 4.9.96: +SRC_URI += "file://CVE-2018-1108-random-fix-crng_ready-test.patch" diff --git a/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch b/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch new file mode 100644 index 0000000..4f7297b --- /dev/null +++ b/patches/cve/CVE-2018-1108-random-fix-crng_ready-test.patch @@ -0,0 +1,84 @@ +From 4dfb3442bb7e1fb80515df4a199ca5a7a8edf900 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 13:27:52 -0400 +Subject: [PATCH] random: fix crng_ready() test + +commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream. + +The crng_init variable has three states: + +0: The CRNG is not initialized at all +1: The CRNG has a small amount of entropy, hopefully good enough for + early-boot, non-cryptographical use cases +2: The CRNG is fully initialized and we are sure it is safe for + cryptographic use cases. + +The crng_ready() function should only return true once we are in the +last state. This addresses CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: e192be9d9a30 ("random: replace non-blocking pool...") +Cc: stable@kernel.org # 4.8+ + +CVE: CVE-2018-1108 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4dfb3442bb7e1fb80515df4a199ca5a7a8edf900] + +Signed-off-by: Theodore Ts'o +Reviewed-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + drivers/char/random.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index cf1b91e33a28..4f82fe0789e4 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -434,7 +434,7 @@ struct crng_state primary_crng = { + * its value (from 0->1->2). + */ + static int crng_init = 0; +-#define crng_ready() (likely(crng_init > 0)) ++#define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) + static void _extract_crng(struct crng_state *crng, +@@ -800,7 +800,7 @@ static int crng_fast_load(const char *cp, size_t len) + + if (!spin_trylock_irqsave(&primary_crng.lock, flags)) + return 0; +- if (crng_ready()) { ++ if (crng_init != 0) { + spin_unlock_irqrestore(&primary_crng.lock, flags); + return 0; + } +@@ -872,7 +872,7 @@ static void _extract_crng(struct crng_state *crng, + { + unsigned long v, flags; + +- if (crng_init > 1 && ++ if (crng_ready() && + time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); +@@ -1153,7 +1153,7 @@ void add_interrupt_randomness(int irq, int irq_flags) + fast_mix(fast_pool); + add_interrupt_bench(cycles); + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && + crng_fast_load((char *) fast_pool->pool, + sizeof(fast_pool->pool))) { +@@ -2148,7 +2148,7 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, + { + struct entropy_store *poolp = &input_pool; + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + crng_fast_load(buffer, count); + return; + } + + -- cgit v1.2.3-54-g00ecf