Skip to content

Commit

Permalink
cdrom: fix improper type cast, which can leat to information leak.
Browse files Browse the repository at this point in the history
commit e4f3aa2 upstream.

There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

This issue is similar to CVE-2018-16658 and CVE-2018-10940.

Signed-off-by: Young_X <YangX92@hotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  • Loading branch information
Young_X authored and Ben Hutchings committed Dec 16, 2018

Unverified

No user is associated with the committer email.
1 parent 789a431 commit 4d0f256
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/cdrom/cdrom.c
Original file line number Diff line number Diff line change
@@ -2427,7 +2427,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
return -ENOSYS;

if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
if ((int)arg >= cdi->capacity)
if (arg >= cdi->capacity)
return -EINVAL;
}

0 comments on commit 4d0f256

Please sign in to comment.