From: Kees Cook <kees@kernel.org>
To: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: 李龙兴 <coregee2000@gmail.com>, "Theodore Ts'o" <tytso@mit.edu>,
"Andreas Dilger" <adilger.kernel@dilger.ca>,
linux-ext4@vger.kernel.org, syzkaller@googlegroups.com,
andy@kernel.org, akpm@linux-foundation.org,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [Kernel Bug] WARNING in ext4_fill_super
Date: Fri, 6 Feb 2026 12:36:29 -0800 [thread overview]
Message-ID: <202602061229.D90563C500@keescook> (raw)
In-Reply-To: <202602061152.EAAF56214@keescook>
On Fri, Feb 06, 2026 at 11:53:09AM -0800, Kees Cook wrote:
> On Fri, Feb 06, 2026 at 11:29:11AM -0800, Kees Cook wrote:
> > But I can't figure out where that comes from. Seems like fs_parse(), but
> > I don't see where mount option strings would come through...
>
> Oh! This is coming directly from disk. So we need an in-place sanity
> check. How about this?
>
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 87205660c5d0..9ad6005615d8 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -2485,6 +2485,13 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
> if (!sbi->s_es->s_mount_opts[0])
> return 0;
>
> + if (strnlen(sbi->s_es->s_mount_opts, sizeof(sbi->s_es->s_mount_opts)) ==
> + sizeof(sbi->s_es->s_mount_opts)) {
> + ext4_msg(sb, KERN_ERR,
> + "Mount options in superblock are not NUL-terminated");
> + return -EINVAL;
> + }
> +
> if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
> return -E2BIG;
Oh, wait. I see these commits now:
8ecb790ea8c3 ("ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()")
ee5a977b4e77 ("ext4: fix string copying in parse_apply_sb_mount_options()")
Ugh, the history is that fundamentally s_mount_opts should be
__nonstring. Old code handled this fine (by using kstrndup), but when
ioctl get/set was added in commit 04a91570ac67 ("ext4: implemet new
ioctls to set and get superblock parameters"), s_mount_opts started
being treated as a C string, which would lead to over-reads (due to lack
of NUL-termination).
So, should on-disk s_mount_opts be required to be NUL-terminated? I
would argue yes, since right now a mount of such a thing will crash with
the reported failure in this thread. So likely, my proposed fix is the
best option?
-Kees
--
Kees Cook
prev parent reply other threads:[~2026-02-06 20:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 4:19 [Kernel Bug] WARNING in ext4_fill_super 李龙兴
2026-02-06 14:20 ` Andy Shevchenko
2026-02-06 15:08 ` Andy Shevchenko
2026-02-06 15:12 ` Andy Shevchenko
2026-02-06 19:29 ` Kees Cook
2026-02-06 19:53 ` Kees Cook
2026-02-06 20:36 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202602061229.D90563C500@keescook \
--to=kees@kernel.org \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@intel.com \
--cc=andy@kernel.org \
--cc=coregee2000@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.