tag d1b130552d2d3d1774725cbb8159350c6fc25c8e
tagger The Android Open Source Project <initial-contribution@android.com> Mon Nov 07 11:22:03 2016 -0800
object 5369ac86bb1fec13ae7e1fc979e8f1f16b1e192b

Android n-mr1-preview-1 Release 0.1

commit 5369ac86bb1fec13ae7e1fc979e8f1f16b1e192b
author Theodore Ts'o <tytso@mit.edu> Sun Jul 03 17:01:26 2016 -0400
committer Alexander Potapenko <glider@google.com> Mon Sep 26 11:20:14 2016 +0200
tree 974829582f3c312e5442fa0a3892ac7a59609e4a
parent 694abe5ad5236ee6e6b678000d5d0a00ee10db88

UPSTREAM: random: strengthen input validation for RNDADDTOENTCNT

Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
entropy value.  It doesn't make any sense to subtract from the entropy
counter, and it can trigger a warning:

random: negative entropy/overflow: pool input count -40000
------------[ cut here ]------------
WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[<      none
 >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
Modules linked in:
CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
 [<     inline     >] credit_entropy_bits_safe drivers/char/random.c:734
 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
---[ end trace 5d4902b2ba842f1f ]---

This was triggered using the test program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

int main() {
        int fd = open("/dev/random", O_RDWR);
        int val = -5000;
        ioctl(fd, RNDADDTOENTCNT, &val);
        return 0;
}

It's harmless in that (a) only root can trigger it, and (b) after
complaining the code never does let the entropy count go negative, but
it's better to simply not allow this userspace from passing in a
negative entropy value altogether.

Google-Bug-Id: #29575089
Reported-By: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec)
Signed-off-by: Alexander Potapenko <glider@google.com>

BUG=chromium:638275

Change-Id: Ie81cc23bfcb3a165b2e16f6dad70838e9a1161a9
Reviewed-on: https://chromium-review.googlesource.com/386926
Commit-Ready: Alexander Potapenko <glider@chromium.org>
Tested-by: Alexander Potapenko <glider@chromium.org>
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>