commit: b652277b09d3d030cb074cc6a98ba80b34244c03 From: Dan Carpenter <[email protected]> Date: Thu, 3 Mar 2011 17:56:06 +0100 Subject: [PATCH] [S390] keyboard: integer underflow bug
The "ct" variable should be an unsigned int. Both struct kbdiacrs ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints. Making it signed causes a problem in KBDIACRUC because the user could set the signed bit and cause a buffer overflow. Cc: <[email protected]> Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Martin Schwidefsky <[email protected]> --- drivers/s390/char/keyboard.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c index 8cd58e4..5ad44da 100644 --- a/drivers/s390/char/keyboard.c +++ b/drivers/s390/char/keyboard.c @@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file, unsigned int cmd, unsigned long arg) { void __user *argp; - int ct, perm; + unsigned int ct; + int perm; argp = (void __user *)arg; _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
