From: Seth Forshee <seth.forshee@canonical.com>
Date: Fri, 9 Apr 2021 18:10:37 +0000 (-0500)
Subject: UBUNTU: SAUCE: shiftfs: handle copy_to_user() return values correctly
X-Git-Tag: Ubuntu-5.15.0-14.14~1998
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=902ca980b651bb536a87ed183779f040e98f5135;p=mirror_ubuntu-jammy-kernel.git

UBUNTU: SAUCE: shiftfs: handle copy_to_user() return values correctly

shiftfs expects copy_to_user() to return a negative error code on
failure, when it actually returns the amount of uncopied data. Fix all
code using copy_to_user() to handle the return values correctly.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---

diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index 8eab93691d62..abeb7db3b9be 100644
--- a/fs/shiftfs.c
+++ b/fs/shiftfs.c
@@ -1424,7 +1424,7 @@ static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg,
 	kfree(v1);
 	kfree(v2);
 
-	return ret;
+	return ret ? -EFAULT: 0;
 }
 
 static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
@@ -1501,6 +1501,7 @@ static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg,
 		*b2 = v2;
 	} else {
 		shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2);
+		ret = -EFAULT;
 	}
 
 	return ret;