[PATCH libXdmcp v2] Use getentropy() if arc4random_buf() is not available
Mark Kettenis
mark.kettenis at xs4all.nl
Wed Apr 5 14:50:42 UTC 2017
> From: Benjamin Tissoires <benjamin.tissoires at gmail.com>
> Date: Tue, 4 Apr 2017 19:13:38 +0200
>
> This allows to fix CVE-2017-2625 on Linux platforms without pulling in
> libbsd.
> The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
> For Linux, we need at least a v3.17 kernel. If the recommended
> arc4random_buf() function is not available, emulate it by first trying
> to use getentropy() on a supported glibc and kernel. If the call fails,
> fall back to the current (vulnerable) code.
>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires at gmail.com>
Same comment as the other diff.
Reviewed-by: Mark Kettenis <kettenis at openbsd.org>
> ---
>
> changes in v2:
> - use the getentropy() from glibc, not the plain syscall
> - make it clear that arc4random_buf() should be preferred and that we
> are only adding band-aids on top of the missing function
> ---
> Key.c | 31 ++++++++++++++++++++++++++-----
> configure.ac | 2 +-
> 2 files changed, 27 insertions(+), 6 deletions(-)
>
> diff --git a/Key.c b/Key.c
> index a09b316..70607d0 100644
> --- a/Key.c
> +++ b/Key.c
> @@ -62,10 +62,11 @@ getbits (long data, unsigned char *dst)
> #define getpid(x) _getpid(x)
> #endif
>
> -void
> -XdmcpGenerateKey (XdmAuthKeyPtr key)
> -{
> #ifndef HAVE_ARC4RANDOM_BUF
> +
> +static void
> +emulate_getrandom_buf (char *auth, int len)
> +{
> long lowbits, highbits;
>
> srandom ((int)getpid() ^ time((Time_t *)0));
> @@ -73,9 +74,29 @@ XdmcpGenerateKey (XdmAuthKeyPtr key)
> highbits = random ();
> getbits (lowbits, key->data);
> getbits (highbits, key->data + 4);
> -#else
> +}
> +
> +static void
> +arc4random_buf (void *auth, int len)
> +{
> + int ret;
> +
> +#if HAVE_GETENTROPY
> + /* weak emulation of arc4random through the getentropy libc call */
> + ret = getentropy (auth, len);
> + if (ret == 0)
> + return;
> +#endif /* HAVE_GETENTROPY */
> +
> + emulate_getrandom_buf (auth, len);
> +}
> +
> +#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
> +
> +void
> +XdmcpGenerateKey (XdmAuthKeyPtr key)
> +{
> arc4random_buf(key->data, 8);
> -#endif
> }
>
> int
> diff --git a/configure.ac b/configure.ac
> index 2288502..d2b045d 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -65,7 +65,7 @@ esac
>
> # Checks for library functions.
> AC_CHECK_LIB([bsd], [arc4random_buf])
> -AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf])
> +AC_CHECK_FUNCS([srand48 lrand48 arc4random_buf getentropy])
>
> # Obtain compiler/linker options for depedencies
> PKG_CHECK_MODULES(XDMCP, xproto)
> --
> 2.9.3
>
>
More information about the xorg-devel
mailing list