forked from luck/tmp_suning_uos_patched
Fix pktcdvd ioctl dev_minor range check
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> [ Rather than add a cast, just make the function take the right type -Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
95929eff2c
commit
252a52aa4f
|
@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
|
|||
pkt_shrink_pktlist(pd);
|
||||
}
|
||||
|
||||
static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
|
||||
static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
|
||||
{
|
||||
if (dev_minor >= MAX_WRITERS)
|
||||
return NULL;
|
||||
|
|
Loading…
Reference in New Issue
Block a user