summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeth Forshee <seth.forshee@canonical.com>2021-04-09 13:10:37 -0500
committerStefan Bader <stefan.bader@canonical.com>2021-04-12 17:10:52 +0200
commit25c891a949bf918b59cbc6e4932015ba4c35c333 (patch)
tree8f6d99398bb79b0aa55ca96d8629fc8d603d60cc
parent8fee52ab9da87d82bc6de9ebb3480fff9b4d53e6 (diff)
UBUNTU: SAUCE: shiftfs: handle copy_to_user() return values correctly
shiftfs expects copy_to_user() to return a negative error code on failure, when it actually returns the amount of uncopied data. Fix all code using copy_to_user() to handle the return values correctly. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> CVE-2021-3492 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-rw-r--r--fs/shiftfs.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index 5dfa414..e73b121 100644
--- a/fs/shiftfs.c
+++ b/fs/shiftfs.c
@@ -1423,7 +1423,7 @@ static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg,
kfree(v1);
kfree(v2);
- return ret;
+ return ret ? -EFAULT: 0;
}
static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
@@ -1500,6 +1500,7 @@ static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
*b2 = v2;
} else {
shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2);
+ ret = -EFAULT;
}
return ret;