From patchwork Wed Apr 25 17:37:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Bauer X-Patchwork-Id: 10364045 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A9BE16038F for ; Wed, 25 Apr 2018 18:04:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9A8BD28FC2 for ; Wed, 25 Apr 2018 18:04:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8EC3D28C87; Wed, 25 Apr 2018 18:04:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2459628C87 for ; Wed, 25 Apr 2018 18:04:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754761AbeDYSER (ORCPT ); Wed, 25 Apr 2018 14:04:17 -0400 Received: from mga03.intel.com ([134.134.136.65]:10140 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750935AbeDYSER (ORCPT ); Wed, 25 Apr 2018 14:04:17 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Apr 2018 11:04:16 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,327,1520924400"; d="scan'208";a="35241964" Received: from sbauer-z170x-ud5.lm.intel.com (HELO sbauer-Z170X-UD5) ([10.232.112.135]) by fmsmga008.fm.intel.com with ESMTP; 25 Apr 2018 11:04:15 -0700 Date: Wed, 25 Apr 2018 11:37:15 -0600 From: Scott Bauer To: Dan Carpenter Cc: Jens Axboe , linux-block@vger.kernel.org, hch@infradead.org Subject: Re: [PATCH] cdrom: information leak in cdrom_ioctl_media_changed() Message-ID: <20180425173711.ppikkczih54daplg@sbauer-Z170X-UD5> References: <20180418095130.GA26904@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180418095130.GA26904@mwanda> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Wed, Apr 18, 2018 at 12:51:31PM +0300, Dan Carpenter wrote: > This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned > long. The way the check is written now, if one of the high 32 bits is > set then we could read outside the info->slots[] array. > > This bug is pretty old and it predates git. There seems to be another one in this file too. We can send an arg that when type'd to int will be negative, or like the above bug the upper 32 bits will be cast-away. I can submit a normal patch if there are no objections. diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index bfc566d3f31a..8cfa10ab7abc 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -2542,7 +2542,7 @@ static int cdrom_ioctl_drive_status(struct cdrom_device_info *cdi, if (!CDROM_CAN(CDC_SELECT_DISC) || (arg == CDSL_CURRENT || arg == CDSL_NONE)) return cdi->ops->drive_status(cdi, CDSL_CURRENT); - if (((int)arg >= cdi->capacity)) + if (arg >= cdi->capacity) return -EINVAL; return cdrom_slot_status(cdi, arg); }