2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <drosenberg@vsecurity.com>
Upstream 252a52aa4fa22a668f019e55b3aac3ff71ec1c29
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
pktcdvd_device from the global pkt_devs array. The index into this
array is provided directly by the user and is a signed integer, so the
comparison to ensure that it falls within the bounds of this array will
fail when provided with a negative index.
This can be used to read arbitrary kernel memory or cause a crash due to
an invalid pointer dereference. This can be exploited by users with
permission to open /dev/pktcdvd/control (on many distributions, this is
readable by group "cdrom").
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
[ Rather than add a cast, just make the function take the right type -Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
drivers/block/pktcdvd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux/drivers/block/pktcdvd.c
===================================================================
--- linux.orig/drivers/block/pktcdvd.c
+++ linux/drivers/block/pktcdvd.c
@@ -2368,7 +2368,7 @@ static void pkt_release_dev(struct pktcd
pkt_shrink_pktlist(pd);
}
-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
+static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
{
if (dev_minor >= MAX_WRITERS)
return NULL;
--
