Local users able to send the NULL arg argument to kbd_ioctl(), which could cause kernel crash diff --git a/keyboard.c b/keyboard.c index ba0e4f9..3ec16b1 100644 --- a/keyboard.c +++ b/keyboard.c @@ -456,6 +456,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg) int perm; argp = (void __user *)arg; + if( !argp ) + return -EFAULT; /* * To have permissions to do most of the vt ioctls, we either have