* Re: [Kernel Bug] WARNING in ext4_fill_super
[not found] ` <aYYE4iLTXZw5t0w_@smile.fi.intel.com>
@ 2026-02-06 19:29 ` Kees Cook
2026-02-06 19:53 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2026-02-06 19:29 UTC (permalink / raw)
To: Andy Shevchenko
Cc: 李龙兴, Theodore Ts'o, Andreas Dilger,
linux-ext4, syzkaller, andy, akpm, linux-hardening, linux-kernel,
linux-fsdevel
On Fri, Feb 06, 2026 at 05:12:34PM +0200, Andy Shevchenko wrote:
> On Fri, Feb 06, 2026 at 05:08:19PM +0200, Andy Shevchenko wrote:
> > On Fri, Feb 06, 2026 at 04:20:15PM +0200, Andy Shevchenko wrote:
> > > On Mon, Feb 02, 2026 at 12:19:45PM +0800, 李龙兴 wrote:
> > > > Dear Linux kernel developers and maintainers,
> > > >
> > > > We would like to report a new kernel bug found by our tool. The issue
> > > > is a WARNING in ext4_fill_super. Details are as follows.
> > >
> > > First of all, the warning appears in parse_apply_sb_mount_options().
> [...]
> Actually, the documentation says that strscpy*() must be used against C-strings.
> This can explain the bug, id est the given string in mount options is not
> NUL-terminated. That's where bug may come from. So, the Q is why is mount options
> not NUL-terminated when it comes to ext4_fill_super()?
parse_apply_sb_mount_options(...):
...
char s_mount_opts[64];
...
if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
return -E2BIG;
Is sbi->s_es->s_mount_opts expected to be a C string? If not, this
strscpy_pad() should likely be memtostr_pad(). (s_mount_opts is expected
to be a C string based on its use with later C string API calls.)
It seems like s_mount_opts is expected to be a C string, I can see it
being used that way in lots of other places, e.g.:
fs/ext4/ioctl.c: strscpy_pad(ret.mount_opts, es->s_mount_opts);
fs/ext4/ioctl.c: strscpy_pad(es->s_mount_opts, params->mount_opts);
fs/ext4/super.c: if (!sbi->s_es->s_mount_opts[0])
fs/ext4/super.c: if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
I can't tell where es->s_mount_opts comes from originally?
This one:
fs/ext4/ioctl.c: strscpy_pad(es->s_mount_opts, params->mount_opts);
comes through ext4_ioctl_set_tune_sb() which has:
if (strnlen(params.mount_opts, sizeof(params.mount_opts)) ==
sizeof(params.mount_opts))
return -E2BIG;
So it's already checked for, and suggests it must be NUL-terminated.
> > > > loop4: detected capacity change from 0 to 514
> > > > ------------[ cut here ]------------
> > > > strnlen: detected buffer overflow: 65 byte read of buffer size 64
> > > > WARNING: CPU: 0 PID: 12320 at lib/string_helpers.c:1035
> > > > __fortify_report+0x9c/0xd0 lib/string_helpers.c:1035
> > > > [...]
> > > > Call Trace:
> > > > <TASK>
> > > > __fortify_panic+0x23/0x30 lib/string_helpers.c:1042
> > > > strnlen include/linux/fortify-string.h:235 [inline]
> > > > sized_strscpy include/linux/fortify-string.h:309 [inline]
> > > > parse_apply_sb_mount_options fs/ext4/super.c:2486 [inline]
> > > > __ext4_fill_super fs/ext4/super.c:5306 [inline]
> > > > ext4_fill_super+0x3972/0xaf70 fs/ext4/super.c:5736
> > > > get_tree_bdev_flags+0x38c/0x620 fs/super.c:1698
> > > > vfs_get_tree+0x8e/0x340 fs/super.c:1758
> > > > fc_mount fs/namespace.c:1199 [inline]
> > > > do_new_mount_fc fs/namespace.c:3642 [inline]
So, something via do_new_mount_fc? Probably:
static int ext4_fill_super(struct super_block *sb, struct fs_context *fc)
which calls __ext4_fill_super(), and eventually
parse_apply_sb_mount_options(). Which depends on:
struct ext4_fs_context *ctx = fc->fs_private;
But I can't figure out where that comes from. Seems like fs_parse(), but
I don't see where mount option strings would come through...
Anyone more familiar with this know?
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Kernel Bug] WARNING in ext4_fill_super
2026-02-06 19:29 ` [Kernel Bug] WARNING in ext4_fill_super Kees Cook
@ 2026-02-06 19:53 ` Kees Cook
2026-02-06 20:36 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2026-02-06 19:53 UTC (permalink / raw)
To: Andy Shevchenko
Cc: 李龙兴, Theodore Ts'o, Andreas Dilger,
linux-ext4, syzkaller, andy, akpm, linux-hardening, linux-kernel,
linux-fsdevel
On Fri, Feb 06, 2026 at 11:29:11AM -0800, Kees Cook wrote:
> But I can't figure out where that comes from. Seems like fs_parse(), but
> I don't see where mount option strings would come through...
Oh! This is coming directly from disk. So we need an in-place sanity
check. How about this?
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 87205660c5d0..9ad6005615d8 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2485,6 +2485,13 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
if (!sbi->s_es->s_mount_opts[0])
return 0;
+ if (strnlen(sbi->s_es->s_mount_opts, sizeof(sbi->s_es->s_mount_opts)) ==
+ sizeof(sbi->s_es->s_mount_opts)) {
+ ext4_msg(sb, KERN_ERR,
+ "Mount options in superblock are not NUL-terminated");
+ return -EINVAL;
+ }
+
if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
return -E2BIG;
--
Kees Cook
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Kernel Bug] WARNING in ext4_fill_super
2026-02-06 19:53 ` Kees Cook
@ 2026-02-06 20:36 ` Kees Cook
0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2026-02-06 20:36 UTC (permalink / raw)
To: Andy Shevchenko
Cc: 李龙兴, Theodore Ts'o, Andreas Dilger,
linux-ext4, syzkaller, andy, akpm, linux-hardening, linux-kernel,
linux-fsdevel
On Fri, Feb 06, 2026 at 11:53:09AM -0800, Kees Cook wrote:
> On Fri, Feb 06, 2026 at 11:29:11AM -0800, Kees Cook wrote:
> > But I can't figure out where that comes from. Seems like fs_parse(), but
> > I don't see where mount option strings would come through...
>
> Oh! This is coming directly from disk. So we need an in-place sanity
> check. How about this?
>
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 87205660c5d0..9ad6005615d8 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -2485,6 +2485,13 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
> if (!sbi->s_es->s_mount_opts[0])
> return 0;
>
> + if (strnlen(sbi->s_es->s_mount_opts, sizeof(sbi->s_es->s_mount_opts)) ==
> + sizeof(sbi->s_es->s_mount_opts)) {
> + ext4_msg(sb, KERN_ERR,
> + "Mount options in superblock are not NUL-terminated");
> + return -EINVAL;
> + }
> +
> if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
> return -E2BIG;
Oh, wait. I see these commits now:
8ecb790ea8c3 ("ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()")
ee5a977b4e77 ("ext4: fix string copying in parse_apply_sb_mount_options()")
Ugh, the history is that fundamentally s_mount_opts should be
__nonstring. Old code handled this fine (by using kstrndup), but when
ioctl get/set was added in commit 04a91570ac67 ("ext4: implemet new
ioctls to set and get superblock parameters"), s_mount_opts started
being treated as a C string, which would lead to over-reads (due to lack
of NUL-termination).
So, should on-disk s_mount_opts be required to be NUL-terminated? I
would argue yes, since right now a mount of such a thing will crash with
the reported failure in this thread. So likely, my proposed fix is the
best option?
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-06 20:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAHPqNmzBb2LruMA6jymoHXQRsoiAKMFZ1wVEz8JcYKg4U6TBbw@mail.gmail.com>
[not found] ` <aYX4n42gmy75aw4Y@smile.fi.intel.com>
[not found] ` <aYYD3rxyIfdH2R-d@smile.fi.intel.com>
[not found] ` <aYYE4iLTXZw5t0w_@smile.fi.intel.com>
2026-02-06 19:29 ` [Kernel Bug] WARNING in ext4_fill_super Kees Cook
2026-02-06 19:53 ` Kees Cook
2026-02-06 20:36 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox