svn commit: r339788 - head/sys/dev/random
Conrad Meyer
cem at FreeBSD.org
Fri Oct 26 20:55:02 UTC 2018
Author: cem
Date: Fri Oct 26 20:55:01 2018
New Revision: 339788
URL: https://svnweb.freebsd.org/changeset/base/339788
Log:
Fortuna: fix a correctness issue in reseed (fortuna_pre_read)
'i' counts the number of pools included in the array 's'. Passing 'i+1' to
reseed_internal() as the number of blocks in 's' is a bogus overrun of the
initialized portion of 's' -- technically UB.
I found this via code inspection, referencing §9.5.2 "Pools" of the Fortuna
chapter, but I would expect Coverity to notice the same issue.
Unfortunately, it doesn't appear to.
Reviewed by: markm
Approved by: secteam (gordon)
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D16985
Modified:
head/sys/dev/random/fortuna.c
Modified: head/sys/dev/random/fortuna.c
==============================================================================
--- head/sys/dev/random/fortuna.c Fri Oct 26 20:53:01 2018 (r339787)
+++ head/sys/dev/random/fortuna.c Fri Oct 26 20:55:01 2018 (r339788)
@@ -408,7 +408,7 @@ random_fortuna_pre_read(void)
SDT_PROBE2(random, fortuna, event_processor, debug, fortuna_state.fs_reseedcount, fortuna_state.fs_pool);
#endif
/* FS&K */
- random_fortuna_reseed_internal(s, i < RANDOM_FORTUNA_NPOOLS ? i + 1 : RANDOM_FORTUNA_NPOOLS);
+ random_fortuna_reseed_internal(s, i);
/* Clean up and secure */
explicit_bzero(s, sizeof(s));
explicit_bzero(temp, sizeof(temp));
More information about the svn-src-all
mailing list