| commit | eb015d662b1831e61ce9610da234565f8349311b | |
| author | Dan Rosenberg <drosenberg@vsecurity.com> | |
| Mon, 27 Sep 2010 16:30:28 +0000 (27 12:30 -0400) | ||
| committer | Andi Kleen <ak@linux.intel.com> | |
| Tue, 14 Dec 2010 22:40:18 +0000 (14 23:40 +0100) | ||
| tree | f07493e5e2e1da26a628c7b4a2d2c8cc10dea154 | treesnapshot (tar.gz zip) |
| parent | 6efba844d4ad8783c46ee2477344bfd87f737325 | commitdiff |
Fix pktcdvd ioctl dev_minor range check
Upstream 252a52aa4fa22a668f019e55b3aac3ff71ec1c29
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
pktcdvd_device from the global pkt_devs array. The index into this
array is provided directly by the user and is a signed integer, so the
comparison to ensure that it falls within the bounds of this array will
fail when provided with a negative index.
This can be used to read arbitrary kernel memory or cause a crash due to
an invalid pointer dereference. This can be exploited by users with
permission to open /dev/pktcdvd/control (on many distributions, this is
readable by group "cdrom").
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
[ Rather than add a cast, just make the function take the right type -Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Upstream 252a52aa4fa22a668f019e55b3aac3ff71ec1c29
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
pktcdvd_device from the global pkt_devs array. The index into this
array is provided directly by the user and is a signed integer, so the
comparison to ensure that it falls within the bounds of this array will
fail when provided with a negative index.
This can be used to read arbitrary kernel memory or cause a crash due to
an invalid pointer dereference. This can be exploited by users with
permission to open /dev/pktcdvd/control (on many distributions, this is
readable by group "cdrom").
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
[ Rather than add a cast, just make the function take the right type -Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
| drivers/block/pktcdvd.c | diffblobblamehistory |