Received: by 10.192.165.148 with SMTP id m20csp822303imm;
        Fri, 27 Apr 2018 08:04:14 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoxDNzDAUAaqtwRNsjzegwsYdP6MSuJlufYkjI1+/4lBWE/dKJjTRXQgB2WamFa1PFhCdb2
X-Received: by 10.98.75.139 with SMTP id d11mr2546743pfj.244.1524841453960;
        Fri, 27 Apr 2018 08:04:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524841453; cv=none;
        d=google.com; s=arc-20160816;
        b=HaprjI1WpffqLajSaGY4O7jNrETloWBV/skqxTWcG5fMdPDO653xZ6ATHuBnT9FC03
         Oin3LrR16kten3xdYQXrLhF/kz1/xVMm1d3rCUFp7K0t7eSrPtibmu8EOeUCmbiRhggf
         CPcqwdBhimE98IYs51X3OgrhTJo3vUTsSC8v89IHIG9z7VUcCCbmr6Tv57z19mnRZ22I
         QuxNjlj/1+kp9yp4IeiEX81iISImRVkS7eJxKIbKk0kDq7vZC9IUAto3r1f2sjqTtq1j
         bIuBoq7NFr3ClfymmKxFL1bDhb+EGC0sgO+3geQGVV5MB9M60AP1w7IfSSl2dfcnzQaZ
         7NsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=b0t+nXZiKM1WqbuCAEzYLyd+xiciSzqP8JsFqP+NJxQ=;
        b=dEl5IhDeV3L3UA5930lE3LvQRn62NwJREZgwDUh7lCdy0Av2FZoJhThwdBaxRDxgGx
         +osQmYun9FWUM2Inadg/9JrKPr67vSnPg8XjLON6KlogbQtuqg0wl3TOFXuV0hrzmnEX
         CeTxLJ+7q/UKt18hQ7dbFkjTinDgOcsl5aBHnkf5Gp98Q8GN0jM19BHuxqRDgOQQ8AX7
         I++5Gg5RUMyBe4ogtAbhRp4nZM5foWVRFVoLB6QJQrFByiQfOAzfyFhRS0yGUCCiItup
         drN/xjsMT2MDhqZ52nFpC01SM6vqXRpLKlGe/IL5yLNjea2RoUW9wPmmcfg47oT+FFh1
         pMPg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l18si1404118pfe.299.2018.04.27.08.03.59;
        Fri, 27 Apr 2018 08:04:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933990AbeD0PCW (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Fri, 27 Apr 2018 11:02:22 -0400
Received: from mail.kernel.org ([198.145.29.99]:51678 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S933606AbeD0OF2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Apr 2018 10:05:28 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 596462189D;
        Fri, 27 Apr 2018 14:05:27 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 596462189D
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4.9 70/74] cdrom: information leak in cdrom_ioctl_media_changed()
Date:   Fri, 27 Apr 2018 15:59:00 +0200
Message-Id: <20180427135712.842677560@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180427135709.899303463@linuxfoundation.org>
References: <20180427135709.899303463@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.

This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
long.  The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.

This bug is pretty old and it predates git.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2368,7 +2368,7 @@ static int cdrom_ioctl_media_changed(str
 	if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
 		return media_changed(cdi, 1);
 
-	if ((unsigned int)arg >= cdi->capacity)
+	if (arg >= cdi->capacity)
 		return -EINVAL;
 
 	info = kmalloc(sizeof(*info), GFP_KERNEL);