--- ./drivers/char/random.c.rndps Wed Jan 19 17:09:48 2005
+++ ./drivers/char/random.c Fri May 20 09:09:18 2005
@@ -1771,7 +1771,7 @@ static int change_poolsize(int poolsize)
static int proc_do_poolsize(ctl_table *table, int write, struct file *filp,
void *buffer, size_t *lenp)
{
- unsigned int ret;
+ int ret;
sysctl_poolsize = random_state->poolinfo.POOLBYTES;
@@ -1787,7 +1787,7 @@ static int poolsize_strategy(ctl_table *
void *oldval, size_t *oldlenp,
void *newval, size_t newlen, void **context)
{
- int len;
+ unsigned int len;
sysctl_poolsize = random_state->poolinfo.POOLBYTES;
Hi Vasily,
On Fri, May 20, 2005 at 09:32:48AM +0400, Vasily Averin wrote:
> Hello Marcelo,
>
> SWSoft Linux kernel Team has discovered that your patch
> http://linux.bkbits.net:8080/linux-2.4/gnupatch@41e2c4fetTJmVti-Xxql21xXjfbpag
> which should fix a random poolsize sysctl handler integer overflow, is
> wrong.
> You have changed a variable definition in function proc_do_poolsize(),
> but you had to fix an another function, poolsize_strategy()
Ouch. Shame on me.
Recent v2.4 versions aren't vulnerable, at least on i386, where copy_from_user()
does signed overflow checking.
Patch applied, thanks.
> --- ./drivers/char/random.c.rndps Wed Jan 19 17:09:48 2005
> +++ ./drivers/char/random.c Fri May 20 09:09:18 2005
> @@ -1771,7 +1771,7 @@ static int change_poolsize(int poolsize)
> static int proc_do_poolsize(ctl_table *table, int write, struct file *filp,
> void *buffer, size_t *lenp)
> {
> - unsigned int ret;
> + int ret;
>
> sysctl_poolsize = random_state->poolinfo.POOLBYTES;
>
> @@ -1787,7 +1787,7 @@ static int poolsize_strategy(ctl_table *
> void *oldval, size_t *oldlenp,
> void *newval, size_t newlen, void **context)
> {
> - int len;
> + unsigned int len;
>
> sysctl_poolsize = random_state->poolinfo.POOLBYTES;
>