| From e9cfa322f7429a9e343f6c9b53b2303b37a57be9 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Mon, 27 Sep 2010 12:30:28 -0400 |
| Subject: [PATCH] Fix pktcdvd ioctl dev_minor range check |
| |
| commit 252a52aa4fa22a668f019e55b3aac3ff71ec1c29 upstream |
| |
| The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a |
| pktcdvd_device from the global pkt_devs array. The index into this |
| array is provided directly by the user and is a signed integer, so the |
| comparison to ensure that it falls within the bounds of this array will |
| fail when provided with a negative index. |
| |
| This can be used to read arbitrary kernel memory or cause a crash due to |
| an invalid pointer dereference. This can be exploited by users with |
| permission to open /dev/pktcdvd/control (on many distributions, this is |
| readable by group "cdrom"). |
| |
| Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| [ Rather than add a cast, just make the function take the right type -Linus ] |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c |
| index 8a549db..8403fd5 100644 |
| --- a/drivers/block/pktcdvd.c |
| +++ b/drivers/block/pktcdvd.c |
| @@ -2368,7 +2368,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush) |
| pkt_shrink_pktlist(pd); |
| } |
| |
| -static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor) |
| +static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor) |
| { |
| if (dev_minor >= MAX_WRITERS) |
| return NULL; |
| -- |
| 1.7.4.4 |
| |
