Fix pktcdvd ioctl dev_minor range check

Dan Rosenberg · torvalds · commit 252a52aa4fa2 · 2010-09-27T16:29:06.000-07:00
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
pktcdvd_device from the global pkt_devs array.  The index into this
array is provided directly by the user and is a signed integer, so the
comparison to ensure that it falls within the bounds of this array will
fail when provided with a negative index.

This can be used to read arbitrary kernel memory or cause a crash due to
an invalid pointer dereference.  This can be exploited by users with
permission to open /dev/pktcdvd/control (on many distributions, this is
readable by group "cdrom").

Signed-off-by: Dan Rosenberg &lt;dan.j.rosenberg@gmail.com&gt;
[ Rather than add a cast, just make the function take the right type -Linus ]
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
@@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
 	pkt_shrink_pktlist(pd);
 }
 
-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
+static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
 {
 	if (dev_minor >= MAX_WRITERS)
 		return NULL;

Original file line number	Diff line number	Diff line change
`@@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)`
`2369`	`2369`	`pkt_shrink_pktlist(pd);`
`2370`	`2370`	`}`
`2371`	`2371`
`2372`		`-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)`
	`2372`	`+static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)`
`2373`	`2373`	`{`
`2374`	`2374`	`if (dev_minor >= MAX_WRITERS)`
`2375`	`2375`	`return NULL;`