cdrom: fix improper type cast, which can leat to information leak (CVE-2018-18710)
This commit is contained in:
parent
5f66f9439a
commit
7fb2e63e99
|
@ -443,6 +443,8 @@ linux (4.18.14-1) UNRELEASED; urgency=medium
|
|||
* [x86] swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels
|
||||
(Closes: #908924)
|
||||
* mremap: properly flush TLB before releasing the page (CVE-2018-18281)
|
||||
* cdrom: fix improper type cast, which can leat to information leak
|
||||
(CVE-2018-18710)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 08 Oct 2018 19:02:53 +0100
|
||||
|
||||
|
|
34
debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch
vendored
Normal file
34
debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From: Young_X <YangX92@hotmail.com>
|
||||
Date: Wed, 3 Oct 2018 12:54:29 +0000
|
||||
Subject: cdrom: fix improper type cast, which can leat to information leak.
|
||||
Origin: https://git.kernel.org/linus/e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18710
|
||||
|
||||
There is another cast from unsigned long to int which causes
|
||||
a bounds check to fail with specially crafted input. The value is
|
||||
then used as an index in the slot array in cdrom_slot_status().
|
||||
|
||||
This issue is similar to CVE-2018-16658 and CVE-2018-10940.
|
||||
|
||||
Signed-off-by: Young_X <YangX92@hotmail.com>
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
drivers/cdrom/cdrom.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index a5d5a96479bf..10802d1fc554 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
|
||||
return -ENOSYS;
|
||||
|
||||
if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
|
||||
- if ((int)arg >= cdi->capacity)
|
||||
+ if (arg >= cdi->capacity)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -146,6 +146,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/mremap-properly-flush-TLB-before-releasing-the-page.patch
|
||||
bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue