The patch titled drivers/block/pktcdvd.c: prevent arbitrary kernel reads in ioctl has been added to the -mm tree. Its filename is drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: drivers/block/pktcdvd.c: prevent arbitrary kernel reads in ioctl From: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). This patch fixes it. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx> Cc: <stable@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- drivers/block/pktcdvd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/block/pktcdvd.c~drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl drivers/block/pktcdvd.c --- a/drivers/block/pktcdvd.c~drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl +++ a/drivers/block/pktcdvd.c @@ -2370,7 +2370,7 @@ static void pkt_release_dev(struct pktcd static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor) { - if (dev_minor >= MAX_WRITERS) + if ((unsigned int)dev_minor >= MAX_WRITERS) return NULL; return pkt_devs[dev_minor]; } _ Patches currently in -mm which might be from drosenberg@xxxxxxxxxxxxx are origin.patch sys_semctl-fix-kernel-stack-leakage.patch drivers-block-pktcdvdc-prevent-arbitrary-kernel-reads-in-ioctl.patch drivers-serial-serial_corec-prevent-reading-uninitialized-stack-memory.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html