Using ioctl(CDROMREADAUDIO) with nframes argument being larger than 8 and
not divisible by 8 causes kernel to read and return more audio data than
was requested. This is bad since it clobbers up processes memory
(I noticed this when my patched cdparanoia segfaulted).
This _might_ also have a security impact, since it could be used to
overwrite memory which the user should not have write access with
cdrom audio data. (_might_ since I do not know the exact semantics of
__copy_to_user() and I am too lazy to check them out. The attacker needs
access to cdrom device with audio cdrom in drive, preferably with a
custom made audio cd).
I have not checked if the same bug is also present in 2.4 kernels.
If you have any comments, please Cc: them to me, since I am not present in
the list.
Here is a trivial patch against drivers/cdrom/cdrom.c of kernel 2.2.18:
--- cdrom.c.orig Wed Mar 14 13:15:13 2001
+++ cdrom.c Wed Mar 14 15:42:19 2001
@@ -1946,6 +1946,7 @@
ra.buf += (CD_FRAMESIZE_RAW * frames);
ra.nframes -= frames;
lba += frames;
+ if (frames>ra.nframes) frames=ra.nframes;
}
kfree(cgc.buffer);
return ret;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Mar 15 2001 - 21:00:16 EST