Commit e4f3aa2e authored by Young_X's avatar Young_X Committed by Jens Axboe
Browse files

cdrom: fix improper type cast, which can leat to information leak. 



There is another cast from unsigned long to int which causes
a bounds check to fail with specially crafted input. The value is
then used as an index in the slot array in cdrom_slot_status().

This issue is similar to CVE-2018-16658 and CVE-2018-10940.

Signed-off-by: default avatarYoung_X <YangX92@hotmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent fb6360b1

drivers/cdrom/cdrom.c

+1 −1
Original line number Diff line number Diff line
@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, 
		return -ENOSYS;



	if (arg != CDSL_CURRENT && arg != CDSL_NONE) {

		if ((int)arg >= cdi->capacity)

		if (arg >= cdi->capacity)

			return -EINVAL;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE