From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f176.google.com ([209.85.192.176]:35091 "EHLO mail-pf0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752084AbcKRU2j (ORCPT ); Fri, 18 Nov 2016 15:28:39 -0500 Received: by mail-pf0-f176.google.com with SMTP id i88so55931853pfk.2 for ; Fri, 18 Nov 2016 12:28:39 -0800 (PST) Date: Fri, 18 Nov 2016 12:27:33 -0800 From: Eric Biggers To: Theodore Ts'o Cc: Ext4 Developers List , kernel@kyup.com, bp@alien8.de, stable@vger.kernel.org Subject: Re: [PATCH 2/4] ext4: fix in-superblock mount options processing Message-ID: <20161118202733.GA100623@google.com> References: <20161118183842.25682-1-tytso@mit.edu> <20161118183842.25682-2-tytso@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161118183842.25682-2-tytso@mit.edu> Sender: stable-owner@vger.kernel.org List-ID: On Fri, Nov 18, 2016 at 01:38:40PM -0500, Theodore Ts'o wrote: > Fix a large number of problems with how we handle mount options in the > superblock. For one, if the string in the superblock is long enough > that it is not null terminated, we could run off the end of the string > and try to interpret superblocks fields as characters. It's unlikely > this will cause a security problem, but it could result in an invalid > parse. Also, parse_options is destructive to the string, so in some > cases if there is a comma-separated string, it would be modified in > the superblock. (Fortunately it only happens on file systems with a > 1k block size.) > > Signed-off-by: Theodore Ts'o > Cc: stable@vger.kernel.org Reviewed-by: Eric Biggers