drivers/s390/char/keyboard.c kernel stack infoleak

From: sohu0106
Date: Thu Aug 03 2017 - 09:59:53 EST



The stack object "kbdiacr" has a total size of 4 bytes. Its last 1 bytes are padding bytes after "result" which are not initialized and leaked to userland via "copy_to_user".


diff --git a/keyboard.c b/keyboard.c
index ba0e4f9..76a6d35 100644
--- a/keyboard.c
+++ b/keyboard.c
@@ -480,6 +480,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
struct kbdiacr diacr;
int i;

+ memset( &diacr, 0, sizeof(struct kbdiacr) );
+
if (put_user(kbd->accent_table_size, &a->kb_cnt))
return -EFAULT;
for (i = 0; i < kbd->accent_table_size; i++) {