diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-11-14 13:43:09 -0500 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2018-11-14 15:31:50 -0500 |
commit | 53c5f0e53068296feda08ed2b9e0753229b69d48 (patch) | |
tree | e160d9e328df1481b2444494443ed0f9a85ec081 | |
parent | 7452c29bbbbaa49fdd659967520375c2d635c8da (diff) | |
download | kernel-53c5f0e53068296feda08ed2b9e0753229b69d48.tar.gz kernel-53c5f0e53068296feda08ed2b9e0753229b69d48.tar.xz kernel-53c5f0e53068296feda08ed2b9e0753229b69d48.zip |
Fix CVE-2018-18710 (rhbz 1645140 1648485)
-rw-r--r-- | cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch | 35 | ||||
-rw-r--r-- | kernel.spec | 4 |
2 files changed, 39 insertions, 0 deletions
diff --git a/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch b/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch new file mode 100644 index 000000000..ea594f4a6 --- /dev/null +++ b/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch @@ -0,0 +1,35 @@ +From e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 Mon Sep 17 00:00:00 2001 +From: Young_X <YangX92@hotmail.com> +Date: Wed, 3 Oct 2018 12:54:29 +0000 +Subject: cdrom: fix improper type cast, which can leat to information leak. + +From: Young_X <YangX92@hotmail.com> + +commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 upstream. + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +This issue is similar to CVE-2018-16658 and CVE-2018-10940. + +Signed-off-by: Young_X <YangX92@hotmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struc + return -ENOSYS; + + if (arg != CDSL_CURRENT && arg != CDSL_NONE) { +- if ((int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + } + diff --git a/kernel.spec b/kernel.spec index 96d069cec..735e31cd0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -624,6 +624,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch Patch504: CI-1-6-drm-i915-dp-Fix-link-retraining-comment-in-intel_dp_long_pulse.patch Patch505: CI-2-6-drm-i915-dp-Restrict-link-retrain-workaround-to-external-monitors.patch +# CVE-2018-18710 rhbz 1645140 1648485 +Patch506: cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch + # END OF PATCH DEFINITIONS %endif @@ -1877,6 +1880,7 @@ fi %changelog * Wed Nov 14 2018 Jeremy Cline <jcline@redhat.com> - 4.19.2-200 - Linux v4.19.2 +- Fix CVE-2018-18710 (rhbz 1645140 1648485) * Mon Nov 12 2018 Laura Abbott <labbott@redhat.com> - 4.18.18-200 - Linux v4.18.18 |