summaryrefslogtreecommitdiff
path: root/user/libice/CVE-2017-2626.patch
blob: ea2d8835b02415b157a60cc09751675f6c36fbdc (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001
From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Date: Tue, 4 Apr 2017 19:12:53 +0200
Subject: Use getentropy() if arc4random_buf() is not available

This allows to fix CVE-2017-2626 on Linux platforms without pulling in
libbsd.
The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
For Linux, we need at least a v3.17 kernel. If the recommended
arc4random_buf() function is not available, emulate it by first trying
to use getentropy() on a supported glibc and kernel. If the call fails,
fall back to the current (partly vulnerable) code.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 configure.ac  |  2 +-
 src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
 2 files changed, 47 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 458882a..c971ab6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
 
 # Checks for library functions.
 AC_CHECK_LIB([bsd], [arc4random_buf])
-AC_CHECK_FUNCS([asprintf arc4random_buf])
+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
 
 # Allow checking code with lint, sparse, etc.
 XORG_WITH_LINT
diff --git a/src/iceauth.c b/src/iceauth.c
index ed31683..de4785b 100644
--- a/src/iceauth.c
+++ b/src/iceauth.c
@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium
 
 static int was_called_state;
 
-/*
- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
- * the SI.  It is not part of standard ICElib.
- */
+#ifndef HAVE_ARC4RANDOM_BUF
 
-
-char *
-IceGenerateMagicCookie (
+static void
+emulate_getrandom_buf (
+	char *auth,
 	int len
 )
 {
-    char    *auth;
-#ifndef HAVE_ARC4RANDOM_BUF
     long    ldata[2];
     int	    seed;
     int	    value;
     int	    i;
-#endif
 
-    if ((auth = malloc (len + 1)) == NULL)
-	return (NULL);
-
-#ifdef HAVE_ARC4RANDOM_BUF
-    arc4random_buf(auth, len);
-#else
 #ifdef ITIMER_REAL
     {
 	struct timeval  now;
@@ -76,13 +64,13 @@ IceGenerateMagicCookie (
 	ldata[0] = now.tv_sec;
 	ldata[1] = now.tv_usec;
     }
-#else
+#else /* ITIMER_REAL */
     {
 	long    time ();
 	ldata[0] = time ((long *) 0);
 	ldata[1] = getpid ();
     }
-#endif
+#endif /* ITIMER_REAL */
     seed = (ldata[0]) + (ldata[1] << 16);
     srand (seed);
     for (i = 0; i < len; i++)
@@ -90,7 +78,46 @@ IceGenerateMagicCookie (
 	value = rand ();
 	auth[i] = value & 0xff;
     }
-#endif
+}
+
+static void
+arc4random_buf (
+	char *auth,
+	int len
+)
+{
+    int	    ret;
+
+#if HAVE_GETENTROPY
+    /* weak emulation of arc4random through the entropy libc */
+    ret = getentropy (auth, len);
+    if (ret == 0)
+	return;
+#endif /* HAVE_GETENTROPY */
+
+    emulate_getrandom_buf (auth, len);
+}
+
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
+
+/*
+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
+ * the SI.  It is not part of standard ICElib.
+ */
+
+
+char *
+IceGenerateMagicCookie (
+	int len
+)
+{
+    char    *auth;
+
+    if ((auth = malloc (len + 1)) == NULL)
+	return (NULL);
+
+    arc4random_buf (auth, len);
+
     auth[len] = '\0';
     return (auth);
 }
-- 
cgit v1.1