• D
    Fix pktcdvd ioctl dev_minor range check · 252a52aa
    Dan Rosenberg 提交于
    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
    pktcdvd_device from the global pkt_devs array.  The index into this
    array is provided directly by the user and is a signed integer, so the
    comparison to ensure that it falls within the bounds of this array will
    fail when provided with a negative index.
    
    This can be used to read arbitrary kernel memory or cause a crash due to
    an invalid pointer dereference.  This can be exploited by users with
    permission to open /dev/pktcdvd/control (on many distributions, this is
    readable by group "cdrom").
    Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com>
    [ Rather than add a cast, just make the function take the right type -Linus ]
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    252a52aa
pktcdvd.c 76.3 KB