diff mbox series

[1/1,T/X/B/C/D] cdrom: fix improper type cast, which can leat to information leak.

Message ID 1542674921-15495-2-git-send-email-tyhicks@canonical.com
State New
Headers show
Series [1/1,T/X/B/C/D] cdrom: fix improper type cast, which can leat to information leak. | expand

Commit Message

Tyler Hicks Nov. 20, 2018, 12:48 a.m. UTC 
From: Young_X <YangX92@hotmail.com>

There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

This issue is similar to CVE-2018-16658 and CVE-2018-10940.

Signed-off-by: Young_X <YangX92@hotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

CVE-2018-18710

(cherry picked from commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/cdrom/cdrom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader Nov. 20, 2018, 10:58 a.m. UTC | #1 
On 20.11.18 01:48, Tyler Hicks wrote:
> From: Young_X <YangX92@hotmail.com>
> 
> There is another cast from unsigned long to int which causes
> a bounds check to fail with specially crafted input. The value is
> then used as an index in the slot array in cdrom_slot_status().
> 
> This issue is similar to CVE-2018-16658 and CVE-2018-10940.
> 
> Signed-off-by: Young_X <YangX92@hotmail.com>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> CVE-2018-18710
> 
> (cherry picked from commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276)
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/cdrom/cdrom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index 104cd4f7a2dd..7c2c520cc1b4 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -2441,7 +2441,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
>  		return -ENOSYS;
>  
>  	if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
> -		if ((int)arg >= cdi->capacity)
> +		if (arg >= cdi->capacity)
>  			return -EINVAL;
>  	}
>  
>
Seth Forshee Nov. 26, 2018, 3:07 p.m. UTC | #2 
On Tue, Nov 20, 2018 at 12:48:41AM +0000, Tyler Hicks wrote:
> From: Young_X <YangX92@hotmail.com>
> 
> There is another cast from unsigned long to int which causes
> a bounds check to fail with specially crafted input. The value is
> then used as an index in the slot array in cdrom_slot_status().
> 
> This issue is similar to CVE-2018-16658 and CVE-2018-10940.
> 
> Signed-off-by: Young_X <YangX92@hotmail.com>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> CVE-2018-18710
> 
> (cherry picked from commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276)
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

Acked-by: Seth Forshee <seth.forshee@canonical.com>

This was applied to unstable as part of the 4.19.3 stable update.
diff mbox series

Patch

diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 104cd4f7a2dd..7c2c520cc1b4 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2441,7 +2441,7 @@  static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
 		return -ENOSYS;
 
 	if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
-		if ((int)arg >= cdi->capacity)
+		if (arg >= cdi->capacity)
 			return -EINVAL;
 	}