diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2018-10-29 22:02:25 +0100 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2018-10-29 22:04:01 +0100 |
| commit | 7fb2e63e992f227dab34b5d85fa7c4a55d5731ca (patch) | |
| tree | 7f6d3a478efac628467f8b260e8b16c27d069c80 | |
| parent | 5f66f9439aa2a0b523b6dba7602b1bfcaac773b3 (diff) | |
| download | kernel_replicant_linux-7fb2e63e992f227dab34b5d85fa7c4a55d5731ca.tar.gz kernel_replicant_linux-7fb2e63e992f227dab34b5d85fa7c4a55d5731ca.tar.bz2 kernel_replicant_linux-7fb2e63e992f227dab34b5d85fa7c4a55d5731ca.zip | |
cdrom: fix improper type cast, which can leat to information leak (CVE-2018-18710)
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch | 34 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 32e5f5c02362..411c69a1cae7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -443,6 +443,8 @@ linux (4.18.14-1) UNRELEASED; urgency=medium * [x86] swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels (Closes: #908924) * mremap: properly flush TLB before releasing the page (CVE-2018-18281) + * cdrom: fix improper type cast, which can leat to information leak + (CVE-2018-18710) -- Ben Hutchings <ben@decadent.org.uk> Mon, 08 Oct 2018 19:02:53 +0100 diff --git a/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch b/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch new file mode 100644 index 000000000000..c85d51cc41a0 --- /dev/null +++ b/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch @@ -0,0 +1,34 @@ +From: Young_X <YangX92@hotmail.com> +Date: Wed, 3 Oct 2018 12:54:29 +0000 +Subject: cdrom: fix improper type cast, which can leat to information leak. +Origin: https://git.kernel.org/linus/e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18710 + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +This issue is similar to CVE-2018-16658 and CVE-2018-10940. + +Signed-off-by: Young_X <YangX92@hotmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index a5d5a96479bf..10802d1fc554 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, + return -ENOSYS; + + if (arg != CDSL_CURRENT && arg != CDSL_NONE) { +- if ((int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + } + +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 13e83e91c331..f29ef21d54b2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -146,6 +146,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch bugfix/all/mremap-properly-flush-TLB-before-releasing-the-page.patch +bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |