The stack object "kbdiacr" has a total size of 4 bytes. Its last 1 bytes are
padding bytes after "result" which are not initialized and leaked to userland
via "copy_to_user".
diff --git a/keyboard.c b/keyboard.c
index ba0e4f9..76a6d35 100644
--- a/keyboard.c
+++ b/keyboard.c
@@ -480,6 +480,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd,
unsigned long arg)
struct kbdiacr diacr;
int i;
+ memset( &diacr, 0, sizeof(struct kbdiacr) );
+
if (put_user(kbd->accent_table_size, &a->kb_cnt))
return -EFAULT;
for (i = 0; i < kbd->accent_table_size; i++) {
