Skip to content

Commit

Permalink
UBUNTU: SAUCE: shiftfs: handle copy_to_user() return values correctly
Browse files Browse the repository at this point in the history 
shiftfs expects copy_to_user() to return a negative error code on
failure, when it actually returns the amount of uncopied data. Fix all
code using copy_to_user() to handle the return values correctly.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
  • Loading branch information
Seth Forshee authored and Thadeu Lima de Souza Cascardo committed Apr 14, 2021
1 parent f7bde38 commit aa51696
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion fs/shiftfs.c
View file
Original file line number Diff line number Diff line change
@@ -1417,7 +1417,7 @@ static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg,
kfree(v1);
kfree(v2);

return ret;
return ret ? -EFAULT: 0;
}

static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
@@ -1494,6 +1494,7 @@ static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
*b2 = v2;
} else {
shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2);
ret = -EFAULT;
}

return ret;

0 comments on commit aa51696

Please sign in to comment.