Received: by 10.192.165.148 with SMTP id m20csp780488imm;
        Fri, 27 Apr 2018 07:25:13 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo+UAJQ/9k0nKZmuwyYl4ROHNvHbZJuatYiLYM3pliTSsVHNWS3IYzKgqtyVOSnU5MYiSRr
X-Received: by 2002:a17:902:125:: with SMTP id 34-v6mr2582863plb.42.1524839113218;
        Fri, 27 Apr 2018 07:25:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524839113; cv=none;
        d=google.com; s=arc-20160816;
        b=e2QWM0y1vpZZ3+dRpYwbMOB8BX64O3jVRnXYBp7dMPaeKFztS1O+eBSibF5gVDWp3g
         xrCcn8wyyfdxUfyfvNEXZqj4ZTQ8pmgf8U3cmUdJx+pVnWAVuVNSFSlWAOBoStLnd5AA
         iid/53TSicnrGA0+VYE+z8kmNKM22Bk0d6eonae48+46Pw5QHxVDwow55UEtLHVeL42j
         pILBZo/c1JZhLY4YTYbqFjamEDeP5YiqbRAZz0zc1UCGzFzJr5m49RPvYE4HiFaH19BI
         fu4GAiwIEhvTLe77jJMFR6/BUJV3yMEm39NegsbBkY/KSm2Q6HFvdO85DHk/IF7P85LW
         uNTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=YIuAsNSH+cp+S1lXNtoeBj9NASwIEFlKrUFxd4XJlE0=;
        b=i25EZ7ObWsNXNaIk+Rh9PBLZ/MhxKLOgVitAvgYYiLC//mFKr8Lhox1zNIlbt8zTbf
         9KwcayPY6UhEdeQLGtxuL1o4KPOlWuapsBaAWqHS29L+RnWmQGC6IpRstoyXbsexs+7m
         VZiZVZlrwT/BFeZJHzBu8jM+lW58rpdCRkwAXnTRqYUoSFWOAlXGGVOXJbPv8HHpszSE
         kQVbNNYQqJy9thhf6bUe5LKheifTan3pQJmozq2PMsil/7KhnhNw2mQF/EcQVQgrma/b
         3LhF3o1D6rc2wa37YNYxTqVDndNKV8aWTnjU7Y1DLnY1abka5e85O56uVZa9P/ckxQaz
         LHNw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b129-v6si1298302pgc.387.2018.04.27.07.24.59;
        Fri, 27 Apr 2018 07:25:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935235AbeD0OX4 (ORCPT <rfc822;chenc2371@gmail.com> + 99 others);
        Fri, 27 Apr 2018 10:23:56 -0400
Received: from mail.kernel.org ([198.145.29.99]:56776 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S934744AbeD0OMK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Apr 2018 10:12:10 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0CB452189E;
        Fri, 27 Apr 2018 14:12:08 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CB452189E
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4.16 63/81] cdrom: information leak in cdrom_ioctl_media_changed()
Date:   Fri, 27 Apr 2018 15:59:05 +0200
Message-Id: <20180427135747.011303979@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180427135743.216853156@linuxfoundation.org>
References: <20180427135743.216853156@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.

This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
long.  The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.

This bug is pretty old and it predates git.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(str
 	if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
 		return media_changed(cdi, 1);
 
-	if ((unsigned int)arg >= cdi->capacity)
+	if (arg >= cdi->capacity)
 		return -EINVAL;
 
 	info = kmalloc(sizeof(*info), GFP_KERNEL);