This is a note to let you know that I've just added the patch titled
[S390] keyboard: integer underflow bug
to the 2.6.37-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
keyboard-integer-underflow-bug.patch
and it can be found in the queue-2.6.37 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From b652277b09d3d030cb074cc6a98ba80b34244c03 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <[email protected]>
Date: Thu, 3 Mar 2011 17:56:06 +0100
Subject: [S390] keyboard: integer underflow bug
From: Dan Carpenter <[email protected]>
commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream.
The "ct" variable should be an unsigned int. Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/s390/char/keyboard.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/s390/char/keyboard.c
+++ b/drivers/s390/char/keyboard.c
@@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct f
unsigned int cmd, unsigned long arg)
{
void __user *argp;
- int ct, perm;
+ unsigned int ct;
+ int perm;
argp = (void __user *)arg;
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.37/keyboard-integer-underflow-bug.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
