The stack object "kbdiacr" has a total size of 4 bytes. Its last 1 bytes are padding bytes after "result" which are not initialized and leaked to userland via "copy_to_user".
diff --git a/keyboard.c b/keyboard.c
index ba0e4f9..76a6d35 100644
--- a/keyboard.c
+++ b/keyboard.c
@@ -480,6 +480,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg)
struct kbdiacr diacr;
int i;
+ memset( &diacr, 0, sizeof(struct kbdiacr) );
+
if (put_user(kbd->accent_table_size, &a->kb_cnt))
return -EFAULT;
for (i = 0; i < kbd->accent_table_size; i++) {?韬{.n?壏煯壄?%娝?檩?w?{.n?壏{炳妄峪Ф�洝塄}财爖?j:+v墾��畐娻2娹櫒璀??摺玜囤?z夸z罐楘+凒殠娸?w棹�f
