[PATCH 09/16] fuse2fs: fix memory corruption when parsing mount options

["Darrick J. Wong" <djwong@kernel.org>]

From: Darrick J. Wong <djwong@kernel.org>

struct fuse_opt has this interesting behavior -- if you set the offset
field to a non-negative value, then it will treat that value as a byte
offset into the data parameter that is passed to fuse_opt_parse.

Unfortnately, process_opt computes a pointer from ((char *)data +
offset), casts that to an int pointer(!), and dereferences the int
pointer to set the value.  Therefore, we cannot have uint8_t fields in
struct fuse2fs because that will lead to subtle memory corruption.

Cc: <linux-ext4@vger.kernel.org> # v1.47.3
Fixes: c7f2688540d95e ("fuse2fs: compact all the boolean flags in struct fuse2fs")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
---
 misc/fuse2fs.c |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)


diff --git a/misc/fuse2fs.c b/misc/fuse2fs.c
index 0a862ea086cbde..868b889912857d 100644
--- a/misc/fuse2fs.c
+++ b/misc/fuse2fs.c
@@ -217,17 +217,19 @@ struct fuse2fs {
 	pthread_mutex_t bfl;
 	char *device;
 	char *shortdev;
-	uint8_t ro;
-	uint8_t debug;
-	uint8_t no_default_opts;
-	uint8_t panic_on_error;
-	uint8_t minixdf;
-	uint8_t fakeroot;
-	uint8_t alloc_all_blocks;
-	uint8_t norecovery;
-	uint8_t kernel;
-	uint8_t directio;
-	uint8_t acl;
+
+	/* options set by fuse_opt_parse must be of type int */
+	int ro;
+	int debug;
+	int no_default_opts;
+	int panic_on_error;
+	int minixdf;
+	int fakeroot;
+	int alloc_all_blocks;
+	int norecovery;
+	int kernel;
+	int directio;
+	int acl;
 
 	int logfd;
 	int blocklog;