252a52aa4f
The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a pktcdvd_device from the global pkt_devs array. The index into this array is provided directly by the user and is a signed integer, so the comparison to ensure that it falls within the bounds of this array will fail when provided with a negative index. This can be used to read arbitrary kernel memory or cause a crash due to an invalid pointer dereference. This can be exploited by users with permission to open /dev/pktcdvd/control (on many distributions, this is readable by group "cdrom"). Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> [ Rather than add a cast, just make the function take the right type -Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| aoe | ||
| drbd | ||
| paride | ||
| amiflop.c | ||
| ataflop.c | ||
| brd.c | ||
| cciss_cmd.h | ||
| cciss_scsi.c | ||
| cciss_scsi.h | ||
| cciss.c | ||
| cciss.h | ||
| cpqarray.c | ||
| cpqarray.h | ||
| cryptoloop.c | ||
| DAC960.c | ||
| DAC960.h | ||
| floppy.c | ||
| hd.c | ||
| ida_cmd.h | ||
| ida_ioctl.h | ||
| Kconfig | ||
| loop.c | ||
| Makefile | ||
| mg_disk.c | ||
| nbd.c | ||
| osdblk.c | ||
| pktcdvd.c | ||
| ps3disk.c | ||
| ps3vram.c | ||
| smart1,2.h | ||
| sunvdc.c | ||
| swim3.c | ||
| swim_asm.S | ||
| swim.c | ||
| sx8.c | ||
| ub.c | ||
| umem.c | ||
| umem.h | ||
| viodasd.c | ||
| virtio_blk.c | ||
| xd.c | ||
| xd.h | ||
| xen-blkfront.c | ||
| xsysace.c | ||
| z2ram.c | ||