| commit | 47d9c7762bd6e2d766cba697952f11fba9d5acf6 | |
| author | Matt Mackall <mpm@selenic.com> | |
| Sat, 6 Oct 2007 22:27:53 +0000 (7 00:27 +0200) | ||
| committer | Adrian Bunk <bunk@kernel.org> | |
| Sat, 6 Oct 2007 22:27:53 +0000 (7 00:27 +0200) | ||
| tree | 7e487af390ac0624d08f141ebf99b5b544490f39 | treesnapshot (tar.gz zip) |
| parent | 46f6fdb65fb9a80fa31ab25c5aad3d150bb7c398 | commitdiff |
random: fix bound check ordering (CVE-2007-3105)
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
(Bug reported by the PaX Team <pageexec@freemail.hu>)
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
| drivers/char/random.c | diffblobblamehistory |