• Michael Schmitz's avatar
    fix race in drivers/char/random.c:get_reg() · 9dfa7bba
    Michael Schmitz authored
    get_reg() can be reentered on architectures with prioritized interrupts
    (m68k in this case), causing f->reg_index to be incremented after the
    range check. Out of bounds memory access past the pt_regs struct results.
    This will go mostly undetected unless access is beyond end of memory.
    
    Prevent the race by disabling interrupts in get_reg().
    
    Tested on m68k (Atari Falcon, and ARAnyM emulator).
    
    Kudos to Geert Uytterhoeven for helping to trace this race.
    Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    9dfa7bba
random.c 60.8 KB