From: "Darrick J. Wong" <djwong@kernel.org>
To: tytso@mit.edu
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/3] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Date: Thu, 11 Sep 2025 15:27:00 -0700 [thread overview]
Message-ID: <20250911222700.GC8084@frogsfrogsfrogs> (raw)
In-Reply-To: <20250908-tune2fs-v1-1-e3a6929f3355@mit.edu>
On Mon, Sep 08, 2025 at 11:15:48PM -0400, Theodore Ts'o via B4 Relay wrote:
> From: Theodore Ts'o <tytso@mit.edu>
>
> Unlike other strings in the ext4 superblock, we rely on tune2fs to
> make sure s_mount_opts is NUL terminated. Harden
> parse_apply_sb_mount_options() by treating s_mount_opts as a potential
> __nonstring.
Uh.... does that mean that a filesystem with exactly 64 bytes worth of
mount option string (and no trailing null) could do something malicious?
My guess is that s_usr_quota_inum mostly saves us, but a nastycrafted
filesystem with more than 2^24 inodes could cause an out of bounds
memory access? But that most likely will just fail the mount option
parser anyway?
--D
>
> Cc: stable@vger.kernel.org
> Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock")
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> ---
> fs/ext4/super.c | 17 +++++------------
> 1 file changed, 5 insertions(+), 12 deletions(-)
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 699c15db28a82f26809bf68533454a242596f0fd..94c98446c84f9a4614971d246ca7f001de610a8a 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -2460,7 +2460,7 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
> struct ext4_fs_context *m_ctx)
> {
> struct ext4_sb_info *sbi = EXT4_SB(sb);
> - char *s_mount_opts = NULL;
> + char s_mount_opts[65];
> struct ext4_fs_context *s_ctx = NULL;
> struct fs_context *fc = NULL;
> int ret = -ENOMEM;
> @@ -2468,15 +2468,11 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
> if (!sbi->s_es->s_mount_opts[0])
> return 0;
>
> - s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
> - sizeof(sbi->s_es->s_mount_opts),
> - GFP_KERNEL);
> - if (!s_mount_opts)
> - return ret;
> + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts);
>
> fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL);
> if (!fc)
> - goto out_free;
> + return -ENOMEM;
>
> s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL);
> if (!s_ctx)
> @@ -2508,11 +2504,8 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
> ret = 0;
>
> out_free:
> - if (fc) {
> - ext4_fc_free(fc);
> - kfree(fc);
> - }
> - kfree(s_mount_opts);
> + ext4_fc_free(fc);
> + kfree(fc);
> return ret;
> }
>
>
> --
> 2.51.0
>
>
>
next prev parent reply other threads:[~2025-09-11 22:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 3:15 [PATCH 0/3] ext4: Add support for mounted updates to the superblock via an ioctl Theodore Ts'o via B4 Relay
2025-09-09 3:15 ` [PATCH 1/3] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Theodore Ts'o via B4 Relay
2025-09-11 22:27 ` Darrick J. Wong [this message]
2025-09-12 2:12 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911222700.GC8084@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox