git: 8eb54646dd0e - stable/12 - Fortuna: fix a correctness issue in reseed (fortuna_pre_read)
David E. O'Brien
obrien at FreeBSD.org
Fri Aug 6 05:13:33 UTC 2021
The branch stable/12 has been updated by obrien:
URL: https://cgit.FreeBSD.org/src/commit/?id=8eb54646dd0eabd66c70f152b502412c04766fdf
commit 8eb54646dd0eabd66c70f152b502412c04766fdf
Author: Conrad Meyer <cem at FreeBSD.org>
AuthorDate: 2018-10-26 20:55:01 +0000
Commit: David E. O'Brien <obrien at FreeBSD.org>
CommitDate: 2021-08-06 05:12:05 +0000
Fortuna: fix a correctness issue in reseed (fortuna_pre_read)
'i' counts the number of pools included in the array 's'. Passing 'i+1' to
reseed_internal() as the number of blocks in 's' is a bogus overrun of the
initialized portion of 's' -- technically UB.
I found this via code inspection, referencing §9.5.2 "Pools" of the Fortuna
chapter, but I would expect Coverity to notice the same issue.
Unfortunately, it doesn't appear to.
Reviewed by: markm
Approved by: secteam (gordon)
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D16985
(cherry picked from commit 9a88479843e2314018f66fd2cdad5ae0200393d0)
---
sys/dev/random/fortuna.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/dev/random/fortuna.c b/sys/dev/random/fortuna.c
index f9a29fd5a596..0eaffa1de439 100644
--- a/sys/dev/random/fortuna.c
+++ b/sys/dev/random/fortuna.c
@@ -408,7 +408,7 @@ random_fortuna_pre_read(void)
SDT_PROBE2(random, fortuna, event_processor, debug, fortuna_state.fs_reseedcount, fortuna_state.fs_pool);
#endif
/* FS&K */
- random_fortuna_reseed_internal(s, i < RANDOM_FORTUNA_NPOOLS ? i + 1 : RANDOM_FORTUNA_NPOOLS);
+ random_fortuna_reseed_internal(s, i);
/* Clean up and secure */
explicit_bzero(s, sizeof(s));
explicit_bzero(temp, sizeof(temp));
More information about the dev-commits-src-all
mailing list