Re:Re: drivers/s390/char/keyboard.c NULL pointer reference

t kbdiacr diacr; int i; //a is NULL,a->kb_cnt will crash if (put_user(kbd->accent_table_size, &a->kb_cnt)) At 2017-08-04 17:26:08, "Heiko Carstens" wrote: >On Thu, Aug 03, 2017 at 09:57:38PM +0800, sohu0106 wrote: >>

Linux kernel: net/irda/af_irda.c: irda_getsockopt() stack infoleak

Sometimes irda_getsockopt() doesn't initialize all members of list field of irda_device_list struct.  This structure is then copied to userland.  It leads to leaking of contents of kernel stack memory.   2  net/irda/af_irda.c @@ -2248,6 +2248,8 @@ static int irda_getsockopt(struct socket *sock,

driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak

driver/video/fbdev/aty/atyfb_base.c In atyfb_ioctl() structure atyclk is copied to userland with padding bytes after "vclk_post_div" field unitialized. It leads to leaking of contents of kernel stack memory. 3  drivers/video/fbdev/aty/atyfb_base.c  @@ -1857,6 +1857,9 @@ static int atyfb_io

drivers/s390/char/keyboard.c kernel stack infoleak

The stack object "kbdiacr" has a total size of 4 bytes. Its last 1 bytes are padding bytes after "result" which are not initialized and leaked to userland via "copy_to_user". diff --git a/keyboard.c b/keyboard.c index ba0e4f9..76a6d35 100644 --- a/keyboard.c +++ b/keyboard.c @@ -480,6 +480,8 @

drivers/s390/char/keyboard.c NULL pointer reference

Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash diff --git a/keyboard.c  b/keyboard.c index ba0e4f9..3ec16b1 100644 --- a/keyboard.c +++ b/keyboard.c @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)