[PATCH] random device reseed bugfix, possibly security problem

[PATCH] random device reseed bugfix, possibly security problem

hello,

recently while trying to figure out something i ran across
some code in drivers/char/random.c:xfer_secondary_pool() which
looked wrong and further investigation of history confirmed
it as well.

the problem is that xfer_secondary_pool() used to use a local
buffer in the past that was used during the reseed operation
however when this buffer was moved out to the caller site, the
sizeof(tmp) code wasn't properly adjusted, therefore the sizeof
now operates on a pointer type (vs. array) and gives the wrong
result.

in this case it means that when the code thinks it reseeds the
entire buffer (0x154 bytes on i386/sha1), it only reseeds
sizeof(ptr), 4 bytes on i386.

since all this 'catastrophic reseeding' has something to do with
some (maybe theoretical) attack (i'm not a crypto guy to tell ;),
i can imagine that this error has some security consequences,
please treat it as such until confirmed otherwise.

the commit that introduced the bug:
  http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=1.889.325.12

the attached fix has been in PaX/grsecurity for a few weeks now
and seems to work.

2.6 doesn't have this bug as the buffer in question is again
local to the function that uses sizeof on it (i haven't checked
when it was fixed).