summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2010-09-27 20:30:28 +0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-09-28 03:29:06 +0400
commit252a52aa4fa22a668f019e55b3aac3ff71ec1c29 (patch)
tree93e0def0cef2ba85c203f2c20b86cda4b6190843 /drivers
parent95929eff2cb01e9858779283795f4e3943ee020d (diff)
downloadlinux-252a52aa4fa22a668f019e55b3aac3ff71ec1c29.tar.xz
Fix pktcdvd ioctl dev_minor range check
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> [ Rather than add a cast, just make the function take the right type -Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/block/pktcdvd.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index b1cbeb59bb76..37a2bb595076 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
pkt_shrink_pktlist(pd);
}
-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
+static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
{
if (dev_minor >= MAX_WRITERS)
return NULL;