On Tue, Jun 12, 2007 at 01:05:44AM -0400, [email protected] wrote:
> I also noticed a glaring BUG in the folding at the end of extract_buf at
> drivers/char/random.c:797. That should be:
>
> /*
> * In case the hash function has some recognizable
> * output pattern, we fold it in half.
> */
>
> buf[0] ^= buf[4];
> buf[1] ^= buf[3];
> buf[2] ^= rol32(buf[2], 16); // <--- Bug was here
> memcpy(out, buf, EXTRACT_SIZE);
> memset(buf, 0, sizeof(buf));
>
> if the code is to match the comment.
Conveniently, the random.c maintainer is reading this thread. Good
spotting, not sure how I bungled that.
----
random: fix output buffer folding
(As reported by [email protected])
Folding is done to minimize the theoretical possibility of systematic
weakness in the particular bits of the SHA1 hash output. The result of
this bug is that 16 out of 80 bits are un-folded. Without a major new
vulnerability being found in SHA1, this is harmless, but still worth
fixing.
Signed-off-by: Matt Mackall <[email protected]>
Index: mm/drivers/char/random.c
===================================================================
--- mm.orig/drivers/char/random.c 2007-06-12 23:50:54.000000000 -0500
+++ mm/drivers/char/random.c 2007-06-12 23:51:51.000000000 -0500
@@ -794,7 +794,7 @@ static void extract_buf(struct entropy_s
buf[0] ^= buf[3];
buf[1] ^= buf[4];
- buf[0] ^= rol32(buf[3], 16);
+ buf[2] ^= rol32(buf[2], 16);
memcpy(out, buf, EXTRACT_SIZE);
memset(buf, 0, sizeof(buf));
}
--
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
