Message ID | 1542674921-15495-2-git-send-email-tyhicks@canonical.com |
---|---|
State | New |
Headers | show |
Series | [1/1,T/X/B/C/D] cdrom: fix improper type cast, which can leat to information leak. | expand |
On 20.11.18 01:48, Tyler Hicks wrote: > From: Young_X <YangX92@hotmail.com> > > There is another cast from unsigned long to int which causes > a bounds check to fail with specially crafted input. The value is > then used as an index in the slot array in cdrom_slot_status(). > > This issue is similar to CVE-2018-16658 and CVE-2018-10940. > > Signed-off-by: Young_X <YangX92@hotmail.com> > Signed-off-by: Jens Axboe <axboe@kernel.dk> > > CVE-2018-18710 > > (cherry picked from commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/cdrom/cdrom.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > index 104cd4f7a2dd..7c2c520cc1b4 100644 > --- a/drivers/cdrom/cdrom.c > +++ b/drivers/cdrom/cdrom.c > @@ -2441,7 +2441,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, > return -ENOSYS; > > if (arg != CDSL_CURRENT && arg != CDSL_NONE) { > - if ((int)arg >= cdi->capacity) > + if (arg >= cdi->capacity) > return -EINVAL; > } > >
On Tue, Nov 20, 2018 at 12:48:41AM +0000, Tyler Hicks wrote: > From: Young_X <YangX92@hotmail.com> > > There is another cast from unsigned long to int which causes > a bounds check to fail with specially crafted input. The value is > then used as an index in the slot array in cdrom_slot_status(). > > This issue is similar to CVE-2018-16658 and CVE-2018-10940. > > Signed-off-by: Young_X <YangX92@hotmail.com> > Signed-off-by: Jens Axboe <axboe@kernel.dk> > > CVE-2018-18710 > > (cherry picked from commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> This was applied to unstable as part of the 4.19.3 stable update.
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index 104cd4f7a2dd..7c2c520cc1b4 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -2441,7 +2441,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, return -ENOSYS; if (arg != CDSL_CURRENT && arg != CDSL_NONE) { - if ((int)arg >= cdi->capacity) + if (arg >= cdi->capacity) return -EINVAL; }