Re: [PATCH] cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry, I responded to this patch that this wasn't a real bug, but then
Scott corrected me that it was.

Anyway, it is a bug and we haven't applied this patch yet.

regards,
dan carpenter

On Thu, Apr 26, 2018 at 11:51:08AM -0600, Scott Bauer wrote:
> Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()"
> 
> There is another cast from unsigned long to int which causes
> a bounds check to fail with specially crafted input. The value is
> then used as an index in the slot array in cdrom_slot_status().
> 
> Signed-off-by: Scott Bauer <scott.bauer@xxxxxxxxx>
> Signed-off-by: Scott Bauer <sbauer@xxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>  drivers/cdrom/cdrom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index bfc566d3f31a..8cfa10ab7abc 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi,
>  	if (!CDROM_CAN(CDC_SELECT_DISC) ||
>  	    (arg == CDSL_CURRENT || arg == CDSL_NONE))
>  		return cdi->ops->drive_status(cdi, CDSL_CURRENT);
> -	if (((int)arg >= cdi->capacity))
> +	if (arg >= cdi->capacity)
>  		return -EINVAL;
>  	return cdrom_slot_status(cdi, arg);
>  }
> -- 
> 2.14.1



[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux