• Dan Rosenberg's avatar
    Fix pktcdvd ioctl dev_minor range check · 252a52aa
    Dan Rosenberg authored
    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
    pktcdvd_device from the global pkt_devs array.  The index into this
    array is provided directly by the user and is a signed integer, so the
    comparison to ensure that it falls within the bounds of this array will
    fail when provided with a negative index.
    
    This can be used to read arbitrary kernel memory or cause a crash due to
    an invalid pointer dereference.  This can be exploited by users with
    permission to open /dev/pktcdvd/control (on many distributions, this is
    readable by group "cdrom").
    Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
    [ Rather than add a cast, just make the function take the right type -Linus ]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    252a52aa
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt/kvm Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...