Control: forwarded -1 https://github.com/legionus/kbd/pull/16 Control: tags -1 + upstream
Hello, Sorry for the late followup. On Sat, Aug 19, 2017 at 04:08:50PM -0400, alsau...@pragmasoft.com wrote: [...] > Upon closer examination, it appears that the KDGKBMETA IOCTL that > is called by setmetamode.c, is subsequently calling: > put_user (<unsigned int>, (int __user*) arg); > > Unfortunately, the argument (ometa) is only declared as "char" in > setmetamode.c. So, in essence, we are asking the kernel to store > an <unsigned int> into a user space location that has only been > allocated as a "char". > > I now believe that the appropriate correction is to change the > "char ometa, nmeta;" declaration in setmetamode.c to > "unsigned int ometa, nmeta;". During my testing, this change > eliminated the StackSmashing detection and subsequent traceback. [...] I agree with your analysis. Would be best to discuss this issue upstream, but since the fix seemed obvious I went ahead and submitted https://github.com/legionus/kbd/pull/16 Thanks for your detailed bug report and analysis. Regards, Andreas Henriksson