diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-11-14 13:43:09 -0500 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2018-11-14 13:43:09 -0500 |
commit | 8892f848b2127d2034710185dac9bad5ed480a34 (patch) | |
tree | f5c9e58cb17252a7405c6d21c051c5d57d3bab4d | |
parent | ee73ea2d18791a1a9c024afece3b26d4e66b69b8 (diff) | |
download | kernel-8892f848b2127d2034710185dac9bad5ed480a34.tar.gz kernel-8892f848b2127d2034710185dac9bad5ed480a34.tar.xz kernel-8892f848b2127d2034710185dac9bad5ed480a34.zip |
Fix CVE-2018-18710 (rhbz 1645140 1648485)
-rw-r--r-- | cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch | 35 | ||||
-rw-r--r-- | kernel.spec | 4 |
2 files changed, 39 insertions, 0 deletions
diff --git a/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch b/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch new file mode 100644 index 000000000..ea594f4a6 --- /dev/null +++ b/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch @@ -0,0 +1,35 @@ +From e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 Mon Sep 17 00:00:00 2001 +From: Young_X <YangX92@hotmail.com> +Date: Wed, 3 Oct 2018 12:54:29 +0000 +Subject: cdrom: fix improper type cast, which can leat to information leak. + +From: Young_X <YangX92@hotmail.com> + +commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 upstream. + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +This issue is similar to CVE-2018-16658 and CVE-2018-10940. + +Signed-off-by: Young_X <YangX92@hotmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struc + return -ENOSYS; + + if (arg != CDSL_CURRENT && arg != CDSL_NONE) { +- if ((int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + } + diff --git a/kernel.spec b/kernel.spec index 0798b2a4e..aa86c77b1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -614,6 +614,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch Patch504: CI-1-6-drm-i915-dp-Fix-link-retraining-comment-in-intel_dp_long_pulse.patch Patch505: CI-2-6-drm-i915-dp-Restrict-link-retrain-workaround-to-external-monitors.patch +# CVE-2018-18710 rhbz 1645140 1648485 +Patch506: cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch + # END OF PATCH DEFINITIONS %endif @@ -1877,6 +1880,7 @@ fi %changelog * Wed Nov 14 2018 Jeremy Cline <jcline@redhat.com> - 4.19.2-300 - Linux v4.19.2 +- Fix CVE-2018-18710 (rhbz 1645140 1648485) * Mon Nov 12 2018 Laura Abbott <labbott@redhat.com> - 4.18.18-300 - Linux v4.18.18 |