Received: by 10.192.165.148 with SMTP id m20csp801700imm;
        Fri, 27 Apr 2018 07:45:06 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpg8geIY6a/50HIrDBpfutNz3NEpn/Ctnd11Y/12qIahz7rOq8MMZ9vFvj7SCYpwoHXRRxY
X-Received: by 2002:a17:902:758a:: with SMTP id j10-v6mr2574664pll.11.1524840306340;
        Fri, 27 Apr 2018 07:45:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524840306; cv=none;
        d=google.com; s=arc-20160816;
        b=apf8iUXsicgQqLkUu3D17rCc8onBvHPpXCNUMpm/eWBQ0OhQTZIy7LPB2p+h3XgUUP
         lNUTilujesP/RglZ/ABCbJr8S9mLfaigiZ5WaVZCPpS320YGFEILTRitoeiXxOT1vDEj
         rqVLk1kSCRGFSLwiVheZr2Gx5waeCNH6kNwc1xg+TS89075b+Mbe2RWa9OxEcPsH4+l7
         drs2J1fDFAxEzbroc2cVol43gaoHLo3QQqpy1KBVwd6gR3YJxz8adrGkxXcY6hNJoas5
         SIDdCYa85TbsBqW7KxL50IIouuqh/pSACFacD5AGf3xykA9a0CSCoh46ajrr1IY9zu8C
         2qaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=etxLCa4C8vNuXkMt6qLDcjhtuUm3TNvjqgWbVhw8l2k=;
        b=NdiRmXNvSNXA0HQXM7FUGOZdojr9GLADnD5K6RxRmUO/wnstj559nhGwMZ7CHHxLoM
         6IkACYAol8sDlnCqWug15XTwHdigiprihLeaieq8sHwYukpSbKa97bTCV6B3djavKmTR
         b8OjVnLAeh3bWx2AHBsoAXn8+8eMUOPXQuNxjGM7DBkf4jfWyVdVgq4cbAFOWBKTD5Zp
         TvCWhogw6xyC8EdRcV4OkMSL3j7NrxB5ZpQ025hUPbazGGincVk9ATYiAPXLE5QLeDn2
         6/upQXQnvyjGjoHAJ26YeyHlF/2ny/j7G1pSoe6iBEAuPXH869FOocoaQMPR/FvBUtHw
         huHA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o2-v6si1357350pls.307.2018.04.27.07.44.52;
        Fri, 27 Apr 2018 07:45:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934685AbeD0Onp (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Fri, 27 Apr 2018 10:43:45 -0400
Received: from mail.kernel.org ([198.145.29.99]:54170 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S934005AbeD0OIh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Apr 2018 10:08:37 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4750B218BC;
        Fri, 27 Apr 2018 14:08:36 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4750B218BC
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4.14 66/80] cdrom: information leak in cdrom_ioctl_media_changed()
Date:   Fri, 27 Apr 2018 15:58:59 +0200
Message-Id: <20180427135736.311428367@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180427135732.928644313@linuxfoundation.org>
References: <20180427135732.928644313@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.

This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
long.  The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.

This bug is pretty old and it predates git.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2374,7 +2374,7 @@ static int cdrom_ioctl_media_changed(str
 	if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
 		return media_changed(cdi, 1);
 
-	if ((unsigned int)arg >= cdi->capacity)
+	if (arg >= cdi->capacity)
 		return -EINVAL;
 
 	info = kmalloc(sizeof(*info), GFP_KERNEL);