shiftfs expects copy_to_user() to return a negative error code on
failure, when it actually returns the amount of uncopied data. Fix all
code using copy_to_user() to handle the return values correctly.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
kfree(v1);
kfree(v2);
- return ret;
+ return ret ? -EFAULT: 0;
}
static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
*b2 = v2;
} else {
shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2);
+ ret = -EFAULT;
}
return ret;