| Message ID | 20180709213901.7570-2-khalid.elmously@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2018-10940 | expand |
On 09.07.2018 23:39, Khalid Elmously wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > > CVE-2018-10940 > > This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned > long. The way the check is written now, if one of the high 32 bits is > set then we could read outside the info->slots[] array. > > This bug is pretty old and it predates git. > > Reviewed-by: Christoph Hellwig <hch@lst.de> > Cc: stable@vger.kernel.org > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Jens Axboe <axboe@kernel.dk> > (cherry-picked from 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/cdrom/cdrom.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > index a7f37f104d6c..589a770f4270 100644 > --- a/drivers/cdrom/cdrom.c > +++ b/drivers/cdrom/cdrom.c > @@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, > if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) > return media_changed(cdi, 1); > > - if ((unsigned int)arg >= cdi->capacity) > + if (arg >= cdi->capacity) > return -EINVAL; > > info = kmalloc(sizeof(*info), GFP_KERNEL); >
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index a7f37f104d6c..589a770f4270 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) return media_changed(cdi, 1); - if ((unsigned int)arg >= cdi->capacity) + if (arg >= cdi->capacity) return -EINVAL; info = kmalloc(sizeof(*info), GFP_KERNEL);