提交 b652277b 编写于 作者: D Dan Carpenter 提交者: Martin Schwidefsky

[S390] keyboard: integer underflow bug

The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 0c0db035
...@@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file, ...@@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
unsigned int cmd, unsigned long arg) unsigned int cmd, unsigned long arg)
{ {
void __user *argp; void __user *argp;
int ct, perm; unsigned int ct;
int perm;
argp = (void __user *)arg; argp = (void __user *)arg;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册