[SRU][T/A][PATCH 0/1] Fix for CVE-2018-10940

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][T/A][PATCH 0/1] Fix for CVE-2018-10940

Khalid Elmously
Clean pick for trusty and artful

Dan Carpenter (1):
  cdrom: information leak in cdrom_ioctl_media_changed()

 drivers/cdrom/cdrom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][T/A][PATCH 1/1] cdrom: information leak in cdrom_ioctl_media_changed()

Khalid Elmously
From: Dan Carpenter <[hidden email]>

CVE-2018-10940

This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
long.  The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.

This bug is pretty old and it predates git.

Reviewed-by: Christoph Hellwig <[hidden email]>
Cc: [hidden email]
Signed-off-by: Dan Carpenter <[hidden email]>
Signed-off-by: Jens Axboe <[hidden email]>
(cherry-picked from 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707)
Signed-off-by: Khalid Elmously <[hidden email]>
---
 drivers/cdrom/cdrom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index a7f37f104d6c..589a770f4270 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
  if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
  return media_changed(cdi, 1);
 
- if ((unsigned int)arg >= cdi->capacity)
+ if (arg >= cdi->capacity)
  return -EINVAL;
 
  info = kmalloc(sizeof(*info), GFP_KERNEL);
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][T/A][PATCH 0/1] Fix for CVE-2018-10940

Po-Hsu Lin (Sam)
In reply to this post by Khalid Elmously
Clean cherry-pick.
Acked-by: Po-Hsu Lin <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][T/A][PATCH 1/1] cdrom: information leak in cdrom_ioctl_media_changed()

Stefan Bader-2
In reply to this post by Khalid Elmously
On 09.07.2018 23:39, Khalid Elmously wrote:

> From: Dan Carpenter <[hidden email]>
>
> CVE-2018-10940
>
> This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
> long.  The way the check is written now, if one of the high 32 bits is
> set then we could read outside the info->slots[] array.
>
> This bug is pretty old and it predates git.
>
> Reviewed-by: Christoph Hellwig <[hidden email]>
> Cc: [hidden email]
> Signed-off-by: Dan Carpenter <[hidden email]>
> Signed-off-by: Jens Axboe <[hidden email]>
> (cherry-picked from 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707)
> Signed-off-by: Khalid Elmously <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  drivers/cdrom/cdrom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index a7f37f104d6c..589a770f4270 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
>   if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
>   return media_changed(cdi, 1);
>  
> - if ((unsigned int)arg >= cdi->capacity)
> + if (arg >= cdi->capacity)
>   return -EINVAL;
>  
>   info = kmalloc(sizeof(*info), GFP_KERNEL);
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment