From: Dan Carpenter <error27@gmail.com>
Date: Thu, 3 Mar 2011 16:56:06 +0000 (+0100)
Subject: [S390] keyboard: integer underflow bug
X-Git-Tag: v2.6.38-rc8~6^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b652277b09d3d030cb074cc6a98ba80b34244c03;p=platform%2Fupstream%2Fkernel-adaptation-pc.git

[S390] keyboard: integer underflow bug

The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---

diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c
index 8cd58e4..5ad44da 100644
--- a/drivers/s390/char/keyboard.c
+++ b/drivers/s390/char/keyboard.c
@@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
 	  unsigned int cmd, unsigned long arg)
 {
 	void __user *argp;
-	int ct, perm;
+	unsigned int ct;
+	int perm;
 
 	argp = (void __user *)arg;