From 52563d3f736f9a8965382c2a04f42bd9f2c76d5c Mon Sep 17 00:00:00 2001
From: Auke Kok <auke.kok@versity.com>
Date: Wed, 5 Mar 2025 15:15:02 -0800
Subject: [PATCH] Address double copy_to_user, possible 1-byte leak.

We shouldn't copy the entire _dirent struct and then copy in the name
again right after, just stop at offsetoff(struct, name).

Now that we're no longer copying the uninitialized name[3] from ent,
there is no more possible 1-byte leak here, too.

Signed-off-by: Auke Kok <auke.kok@versity.com>
---
 kmod/src/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kmod/src/ioctl.c b/kmod/src/ioctl.c
index 432e6d37..a7423362 100644
--- a/kmod/src/ioctl.c
+++ b/kmod/src/ioctl.c
@@ -1372,7 +1372,7 @@ static long scoutfs_ioc_get_referring_entries(struct file *file, unsigned long a
 			ent.d_type = bref->d_type;
 			ent.name_len = name_len;
 
-			if (copy_to_user(uent, &ent, sizeof(struct scoutfs_ioctl_dirent)) ||
+			if (copy_to_user(uent, &ent, offsetof(struct scoutfs_ioctl_dirent, name[0])) ||
 			    copy_to_user(&uent->name[0], bref->dent.name, name_len) ||
 			    put_user('\0', &uent->name[name_len])) {
 				ret = -EFAULT;