diff mbox

[v2,2/2] fs: Disallow mount options strings longer than PAGE_SIZE - 1

Message ID 729cc8635d7927ecbe81b3bdb337e31ee61a1e14.1465871650.git.luto@kernel.org (mailing list archive)
State New, archived
Headers show

Commit Message

Andy Lutomirski June 14, 2016, 2:36 a.m. UTC
We used to truncate the string.  Make the behaviour of mount() more
predictable: return -EINVAL if the string is too long.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 fs/namespace.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
diff mbox

Patch

diff --git a/fs/namespace.c b/fs/namespace.c
index 8644f1961ca6..96e6b09df7d1 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2582,8 +2582,7 @@  static void shrink_submounts(struct mount *mnt)
 }
 
 /* Copy the mount options string.  Always returns a full page padded
- * with nulls.  If the input string is a full page or more, it may be
- * truncated and the result will not be null-terminated.
+ * with nulls and guarantees that the result is null-terminated.
  */
 void *copy_mount_options(const void __user *data)
 {
@@ -2603,7 +2602,12 @@  void *copy_mount_options(const void __user *data)
 		return ERR_PTR(size);
 	}
 
-	/* If we got less than PAGE_SIZE bytes, zero out the remainder. */
+	if (size >= PAGE_SIZE) {
+		kfree(copy);
+		return ERR_PTR(-EINVAL);
+	}
+
+	/* Pad with zeros. */
 	memset(copy + size, 0, PAGE_SIZE - size);
 
 	return copy;
@@ -2639,10 +2643,6 @@  long do_mount(const char *dev_name, const char __user *dir_name,
 	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
 		flags &= ~MS_MGC_MSK;
 
-	/* Basic sanity checks */
-	if (data_page)
-		((char *)data_page)[PAGE_SIZE - 1] = 0;
-
 	/* ... and get the mountpoint */
 	retval = user_path(dir_name, &path);
 	if (retval)