@@ -2582,8 +2582,7 @@ static void shrink_submounts(struct mount *mnt)
}
/* Copy the mount options string. Always returns a full page padded
- * with nulls. If the input string is a full page or more, it may be
- * truncated and the result will not be null-terminated.
+ * with nulls and guarantees that the result is null-terminated.
*/
void *copy_mount_options(const void __user *data)
{
@@ -2601,7 +2600,12 @@ void *copy_mount_options(const void __user *data)
if (size < 0)
return ERR_PTR(size);
- /* If we got less than PAGE_SIZE bytes, zero out the remainder. */
+ if (size >= PAGE_SIZE) {
+ kfree(copy);
+ return ERR_PTR(-EINVAL);
+ }
+
+ /* Pad with zeros. */
memset(copy + size, 0, PAGE_SIZE);
return copy;
@@ -2637,10 +2641,6 @@ long do_mount(const char *dev_name, const char __user *dir_name,
if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
flags &= ~MS_MGC_MSK;
- /* Basic sanity checks */
- if (data_page)
- ((char *)data_page)[PAGE_SIZE - 1] = 0;
-
/* ... and get the mountpoint */
retval = user_path(dir_name, &path);
if (retval)
We used to truncate the string. Make the behaviour of mount() more predictable: return -EINVAL if the string is too long. Signed-off-by: Andy Lutomirski <luto@kernel.org> --- fs/namespace.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)