UBUNTU: SAUCE: shiftfs: handle copy_to_user() return values correctly

shiftfs expects copy_to_user() to return a negative error code on
failure, when it actually returns the amount of uncopied data. Fix all
code using copy_to_user() to handle the return values correctly.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index 8eab93691d626c0ae2f334cbe44cc9cbef22a6ec..abeb7db3b9be415788b108292f026ee3fe75ccb9 100644 (file)
--- a/fs/shiftfs.c
+++ b/fs/shiftfs.c
@@ -1424,7 +1424,7 @@ static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg,
        kfree(v1);
        kfree(v2);
 
-       return ret;
+       return ret ? -EFAULT: 0;
 }
 
 static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
@@ -1501,6 +1501,7 @@ static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
                *b2 = v2;
        } else {
                shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2);
+               ret = -EFAULT;
        }
 
        return ret;