| Message ID | 20181003062939.16699-2-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2018-16658 | expand |
On 03.10.2018 08:29, Po-Hsu Lin wrote: > From: Scott Bauer <scott.bauer@intel.com> > > CVE-2018-16658 > > Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()" > > There is another cast from unsigned long to int which causes > a bounds check to fail with specially crafted input. The value is > then used as an index in the slot array in cdrom_slot_status(). > > Signed-off-by: Scott Bauer <scott.bauer@intel.com> > Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> > Cc: stable@vger.kernel.org > Signed-off-by: Jens Axboe <axboe@kernel.dk> > (cherry picked from commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/cdrom/cdrom.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > index cbee2e7..f0534a4 100644 > --- a/drivers/cdrom/cdrom.c > +++ b/drivers/cdrom/cdrom.c > @@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi, > if (!CDROM_CAN(CDC_SELECT_DISC) || > (arg == CDSL_CURRENT || arg == CDSL_NONE)) > return cdi->ops->drive_status(cdi, CDSL_CURRENT); > - if (((int)arg >= cdi->capacity)) > + if (arg >= cdi->capacity) > return -EINVAL; > return cdrom_slot_status(cdi, arg); > } >
On 10/03/18 08:29, Po-Hsu Lin wrote: > From: Scott Bauer <scott.bauer@intel.com> > > CVE-2018-16658 > > Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()" > > There is another cast from unsigned long to int which causes > a bounds check to fail with specially crafted input. The value is > then used as an index in the slot array in cdrom_slot_status(). > > Signed-off-by: Scott Bauer <scott.bauer@intel.com> > Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> > Cc: stable@vger.kernel.org > Signed-off-by: Jens Axboe <axboe@kernel.dk> > (cherry picked from commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/cdrom/cdrom.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > index cbee2e7..f0534a4 100644 > --- a/drivers/cdrom/cdrom.c > +++ b/drivers/cdrom/cdrom.c > @@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi, > if (!CDROM_CAN(CDC_SELECT_DISC) || > (arg == CDSL_CURRENT || arg == CDSL_NONE)) > return cdi->ops->drive_status(cdi, CDSL_CURRENT); > - if (((int)arg >= cdi->capacity)) > + if (arg >= cdi->capacity) > return -EINVAL; > return cdrom_slot_status(cdi, arg); > } >
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index cbee2e7..f0534a4 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi, if (!CDROM_CAN(CDC_SELECT_DISC) || (arg == CDSL_CURRENT || arg == CDSL_NONE)) return cdi->ops->drive_status(cdi, CDSL_CURRENT); - if (((int)arg >= cdi->capacity)) + if (arg >= cdi->capacity) return -EINVAL; return cdrom_slot_status(cdi, arg); }