35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From: Young_X <YangX92@hotmail.com>
|
|
Date: Wed, 3 Oct 2018 12:54:29 +0000
|
|
Subject: cdrom: fix improper type cast, which can leat to information leak.
|
|
Origin: https://git.kernel.org/linus/e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18710
|
|
|
|
There is another cast from unsigned long to int which causes
|
|
a bounds check to fail with specially crafted input. The value is
|
|
then used as an index in the slot array in cdrom_slot_status().
|
|
|
|
This issue is similar to CVE-2018-16658 and CVE-2018-10940.
|
|
|
|
Signed-off-by: Young_X <YangX92@hotmail.com>
|
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
---
|
|
drivers/cdrom/cdrom.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
|
index a5d5a96479bf..10802d1fc554 100644
|
|
--- a/drivers/cdrom/cdrom.c
|
|
+++ b/drivers/cdrom/cdrom.c
|
|
@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
|
|
return -ENOSYS;
|
|
|
|
if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
|
|
- if ((int)arg >= cdi->capacity)
|
|
+ if (arg >= cdi->capacity)
|
|
return -EINVAL;
|
|
}
|
|
|
|
--
|
|
2.11.0
|
|
|