From: Matt Mackall <mpm@selenic.com>
Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
Subject: random: fix bound check ordering (CVE-2007-3105)
X-Git-Tag: v2.6.23-rc1~259
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd;p=pandora-kernel.git

random: fix bound check ordering (CVE-2007-3105)

If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.

(Bug reported by the PaX Team <pageexec@freemail.hu>)

Cc: Theodore Tso <tytso@mit.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

Reading git-diff-tree failed