Received: by 10.192.165.148 with SMTP id m20csp856771imm;
        Fri, 27 Apr 2018 08:36:00 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrksd5XyRe6iKO24PFC34A5jtk0+/pqP9A0nh0hRzn/GtYXZ+QrHZxz9OtxjdEMPM4bCxsz
X-Received: by 10.98.9.27 with SMTP id e27mr2613912pfd.93.1524843360632;
        Fri, 27 Apr 2018 08:36:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524843360; cv=none;
        d=google.com; s=arc-20160816;
        b=XhPd1QPhWu+rn9ApHZXr8nJ7tmwhIH6PAxeHLUXAmkTgrtU0OFLTZm4pNHKod+gq16
         D/+ow5tHwF7KKQLFw2H2hm7PBxXEZ+XA9Cik9oD1VCP3ZJabe84U8cVDs8QgJbWJshrP
         PXwQf6hkVU5FlzN4eXVnNEDN8PpPskiezJM6Ig83/rzObJL5BAJOipRW+MVXJtkpPCnv
         HGygSD/AhLMgLdtjSCx8Piz2fOcUsN2s5kzbZNFZzWMYSKaBid3yduy45xisHp7NzJfb
         U2TysIDZpRINlKTtx2fmr9B1hRefSLqJVWUUfji/uo4p6kaxOXrkG8wOZb6IMajtXivO
         WYGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=tkayf7Ly+0bP73JeoNM2ksCb6JVkhxLshVq6Ag8cHHg=;
        b=MMB5Qx3hkLZk97X2Vcm3ERC2sJx0ONuchviuuF6kswBXwDJKJ9RiRXUdqAXtWamBoD
         Gmbs1EbKqJZ5o/rfPxkddKK0yV5jJ2BtHBmyfDJvLvfvmHD3I9rGjB2xskTRX/EIpbJ2
         G0/3GR3+ZrDEeCP+9O0yb6PRtDYalXgPtbR+R/hymIxDomG+Re2PCrLYMEp2O4nDqHqx
         EupgBOf9spV4HHoY4julOTt1W1N0HyP0zzOdWu9dm5mva9e/5M7ipryKNOVdZzx754gT
         Z2ixVBzQQ6zHfbl3PnoLvwIemcf71KYka4KQ7/3FcZi4/w92E4+xAQxV2LmY2niYXc90
         xLkw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t15-v6si1431397plr.188.2018.04.27.08.35.46;
        Fri, 27 Apr 2018 08:36:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932956AbeD0OAS (ORCPT <rfc822;chenc2371@gmail.com> + 99 others);
        Fri, 27 Apr 2018 10:00:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:47446 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932906AbeD0OAP (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Apr 2018 10:00:15 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6EEF421894;
        Fri, 27 Apr 2018 14:00:14 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6EEF421894
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 3.18 24/24] cdrom: information leak in cdrom_ioctl_media_changed()
Date:   Fri, 27 Apr 2018 15:57:59 +0200
Message-Id: <20180427135632.574634449@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180427135631.584839868@linuxfoundation.org>
References: <20180427135631.584839868@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream.

This cast is wrong.  "cdi->capacity" is an int and "arg" is an unsigned
long.  The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.

This bug is pretty old and it predates git.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cdrom/cdrom.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2357,7 +2357,7 @@ static int cdrom_ioctl_media_changed(str
 	if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
 		return media_changed(cdi, 1);
 
-	if ((unsigned int)arg >= cdi->capacity)
+	if (arg >= cdi->capacity)
 		return -EINVAL;
 
 	info = kmalloc(sizeof(*info), GFP_KERNEL);