NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../drivers
History
Theodore Ts'o 86a574de45 random: strengthen input validation for RNDADDTOENTCNT 
Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value.  It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:

random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[<      none
 >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
 [<     inline     >] credit_entropy_bits_safe drivers/char/random.c:734
 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---

This was triggered using the test program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}

It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.

Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-07-03 17:09:33 -04:00
..
accessibility
acpi remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
amba
android
ata remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
atm
auxdisplay
base More power management updates for v4.7-rc1 2016-05-25 15:29:21 -07:00
bcma MTD updates for v4.7: 2016-05-24 11:00:20 -07:00
block DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
bluetooth Bluetooth: Add USB ID 13D3:3487 to ath3k 2016-05-13 16:54:59 +02:00
bus Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-05-19 10:02:26 -07:00
cdrom
char random: strengthen input validation for RNDADDTOENTCNT 2016-07-03 17:09:33 -04:00
clk remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
clocksource Small release overall. 2016-05-19 11:27:09 -07:00
connector
cpufreq remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
cpuidle cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() 2016-05-18 02:48:37 +02:00
crypto remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
dax /dev/dax, core: file operations and dax-mmap 2016-05-20 22:02:55 -07:00
dca
devfreq
dio
dma remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
dma-buf
edac Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-05-17 17:05:30 -07:00
eisa
extcon
firewire
firmware driver core update for 4.7-rc1 2016-05-20 21:26:15 -07:00
fmc
fpga
gpio remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
gpu remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
hid Merge branch 'for-4.7/wacom' into for-linus 2016-05-17 12:42:27 +02:00
hsi
hv random: add interrupt callback to VMBus IRQ handler 2016-06-13 11:54:33 -04:00
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2016-05-26 09:48:23 -07:00
hwspinlock drivers/hwspinlock: use correct radix tree API 2016-05-20 17:58:30 -07:00
hwtracing Char / Misc driver update for 4.7-rc1 2016-05-20 21:20:31 -07:00
i2c i2c: dev: use after free in detach 2016-05-28 17:37:42 +02:00
ide
idle
iio Staging and IIO driver update for 4.7-rc1 2016-05-20 22:20:48 -07:00
infiniband Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-05-27 19:14:35 -07:00
iommu remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
ipack
irqchip Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-05-28 16:41:39 -07:00
isdn TTY and Serial driver update for 4.7-rc1 2016-05-20 20:57:27 -07:00
leds pwm: Changes for v4.7-rc1 2016-05-25 10:40:15 -07:00
lguest
lightnvm
macintosh
mailbox
mcb
md Merge branch 'for-linus' of git://git.kernel.dk/linux-block 2016-05-27 14:28:09 -07:00
media Merge branch 'hash' of git://ftp.sciencehorizons.net/linux 2016-05-28 16:15:25 -07:00
memory MTD updates for v4.7: 2016-05-24 11:00:20 -07:00
memstick drivers/memstick/core/mspro_block: use kmemdup 2016-05-23 17:04:14 -07:00
message SCSI misc on 20160517 2016-05-18 16:38:59 -07:00
mfd remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
misc Char / Misc driver update for 4.7-rc1 2016-05-20 21:20:31 -07:00
mmc remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
mtd This pull request contains mostly cleanups and minor 2016-05-27 18:49:29 -07:00
net remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
nfc
ntb
nubus
nvdimm DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
nvme nvme/host: Add missing blk_integrity tag_size + flags assignments 2016-05-17 17:14:21 -06:00
nvmem remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
of MTD updates for v4.7: 2016-05-24 11:00:20 -07:00
oprofile
parisc
parport
pci Char / Misc driver update for 4.7-rc1 2016-05-20 21:20:31 -07:00
pcmcia
perf
phy USB patches for 4.7-rc1 2016-05-20 21:12:25 -07:00
pinctrl drivers/pinctrl/intel/pinctrl-baytrail.c: fix build with gcc-4.4 2016-05-26 15:35:44 -07:00
platform platform/chrome: Driver and binding changes for 4.7 2016-05-28 12:32:01 -07:00
pnp driver core update for 4.7-rc1 2016-05-20 21:26:15 -07:00
power power supply and reset changes for the v4.7 series 2016-05-20 14:06:21 -07:00
powercap Power management material for v4.7-rc1 2016-05-16 19:17:22 -07:00
pps
ps3
ptp
pwm pwm: Changes for v4.7-rc1 2016-05-25 10:40:15 -07:00
rapidio
ras
regulator regulator: pwm: Use pwm_get_args() where appropriate 2016-05-17 14:45:02 +02:00
remoteproc remoteproc: Add additional crash reasons 2016-05-12 15:50:19 -07:00
reset
rpmsg
rtc rtc: tps6586x: rename so module can be autoloaded 2016-05-21 17:07:17 +02:00
s390 DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
sbus openprom: fix warning 2016-05-20 18:33:37 -07:00
scsi Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
sfi
sh
sn
soc soc: mtk-pmic-wrap: avoid integer overflow warning 2016-05-19 15:20:24 +02:00
spi sound updates #2 for 4.7-rc1 2016-05-28 12:23:12 -07:00
spmi
ssb
staging Round two of 4.7 merge window patches 2016-05-28 11:04:16 -07:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
tc
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-05-26 09:23:43 -07:00
thunderbolt
tty remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
uio
usb Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
uwb
vfio VFIO updates for v4.7-rc1 2016-05-25 09:47:26 -07:00
vhost
video remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
virt
virtio virtio_balloon: fix PFN format for virtio-1 2016-05-22 19:44:13 +03:00
vlynq
vme
w1
watchdog Merge git://www.linux-watchdog.org/linux-watchdog 2016-05-25 10:19:17 -07:00
xen Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2016-05-28 12:04:17 -07:00
zorro
Kconfig libnvdimm for 4.7 2016-05-23 11:18:01 -07:00
Makefile /dev/dax, pmem: direct access to persistent memory 2016-05-20 22:02:53 -07:00