Skip to content

Commit

Permalink
cdrom: fix improper type cast, which can leat to information leak.
Browse files Browse the repository at this point in the history 
There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

This issue is similar to CVE-2018-16658 and CVE-2018-10940.

Signed-off-by: Young_X <YangX92@hotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
  • Loading branch information
@Yoha-test @axboe
Yoha-test authored and axboe committed Oct 3, 2018
1 parent fb6360b commit e4f3aa2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/cdrom/cdrom.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi,
return -ENOSYS;

if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
if ((int)arg >= cdi->capacity)
if (arg >= cdi->capacity)
return -EINVAL;
}

Expand Down

0 comments on commit e4f3aa2

Please sign in to comment.