[kernel] r17411 - in dists/lenny/linux-2.6/debian: . patches/bugfix/s390

[Dann Frazier]

Author: dannf
Date: Mon May 16 00:57:58 2011
New Revision: 17411

Log:
[s390] keyboard: integer underflow bug

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Mon May 16 00:57:53 2011	(r17410)
+++ dists/lenny/linux-2.6/debian/changelog	Mon May 16 00:57:58 2011	(r17411)
@@ -21,6 +21,7 @@
     - NFSD: memory corruption due to writing beyond the stat array
     - ext2: Fix link count corruption under heavy link+rename load
     - virtio: set pci bus master enable bit
+    - [s390] keyboard: integer underflow bug
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 29 Nov 2010 02:01:24 +0000
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/s390/keyboard-integer-underflow-bug.patch	Mon May 16 00:57:58 2011	(r17411)
@@ -0,0 +1,32 @@
+commit a88dfcc1c22750be6ea3283ae08e20019c876234
+Author: Dan Carpenter <error27 at gmail.com>
+Date:   Thu Mar 3 17:56:06 2011 +0100
+
+    keyboard: integer underflow bug
+    
+    commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream.
+    
+    The "ct" variable should be an unsigned int.  Both struct kbdiacrs
+    ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
+    
+    Making it signed causes a problem in KBDIACRUC because the user could
+    set the signed bit and cause a buffer overflow.
+    
+    Signed-off-by: Dan Carpenter <error27 at gmail.com>
+    Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c
+index cee4d4e..1160fca 100644
+--- a/drivers/s390/char/keyboard.c
++++ b/drivers/s390/char/keyboard.c
+@@ -462,7 +462,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
+ 	  unsigned int cmd, unsigned long arg)
+ {
+ 	void __user *argp;
+-	int ct, perm;
++	unsigned int ct;
++	int perm;
+ 
+ 	argp = (void __user *)arg;
+