The patch titled
drivers/block/pktcdvd.c: prevent arbitrary kernel reads in ioctl
has been added to the -mm tree. Its filename is
drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: drivers/block/pktcdvd.c: prevent arbitrary kernel reads in ioctl
From: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
pktcdvd_device from the global pkt_devs array. The index into this array
is provided directly by the user and is a signed integer, so the
comparison to ensure that it falls within the bounds of this array will
fail when provided with a negative index.
This can be used to read arbitrary kernel memory or cause a crash due to
an invalid pointer dereference. This can be exploited by users with
permission to open /dev/pktcdvd/control (on many distributions, this is
readable by group "cdrom"). This patch fixes it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/block/pktcdvd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN drivers/block/pktcdvd.c~drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl drivers/block/pktcdvd.c
--- a/drivers/block/pktcdvd.c~drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl
+++ a/drivers/block/pktcdvd.c
@@ -2370,7 +2370,7 @@ static void pkt_release_dev(struct pktcd
static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
{
- if (dev_minor >= MAX_WRITERS)
+ if ((unsigned int)dev_minor >= MAX_WRITERS)
return NULL;
return pkt_devs[dev_minor];
}
_
Patches currently in -mm which might be from drosenberg@xxxxxxxxxxxxx are
origin.patch
sys_semctl-fix-kernel-stack-leakage.patch
drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl.patch
drivers-serial-serial_corec-prevent-reading-uninitialized-stack-memory.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
