From: "Theodore Ts'o" <tytso@mit.edu>
To: "Darrick J. Wong" <djwong@kernel.org>
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
jannh@google.com
Subject: Re: [PATCH 1/3] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Date: Thu, 11 Sep 2025 22:12:27 -0400 [thread overview]
Message-ID: <20250912021227.GB3703006@mit.edu> (raw)
In-Reply-To: <20250911222700.GC8084@frogsfrogsfrogs>
On Thu, Sep 11, 2025 at 03:27:00PM -0700, Darrick J. Wong wrote:
> On Mon, Sep 08, 2025 at 11:15:48PM -0400, Theodore Ts'o via B4 Relay wrote:
> > From: Theodore Ts'o <tytso@mit.edu>
> >
> > Unlike other strings in the ext4 superblock, we rely on tune2fs to
> > make sure s_mount_opts is NUL terminated. Harden
> > parse_apply_sb_mount_options() by treating s_mount_opts as a potential
> > __nonstring.
>
> Uh.... does that mean that a filesystem with exactly 64 bytes worth of
> mount option string (and no trailing null) could do something malicious?
Maybe.... I'm surprised syzkaller hasn't managed to create a
maliciously fuzzed file system along these lines.
This was one of the things that I found while I was poking about in
code that I hadn't examined in years. And I guess the kernel
hardening folks have been looking for strndup() as a deprecated
interface, but apparently they haven't targetted kstrndup() yet.
> My guess is that s_usr_quota_inum mostly saves us, but a nastycrafted
> filesystem with more than 2^24 inodes could cause an out of bounds
> memory access? But that most likely will just fail the mount option
> parser anyway?
Actually, s_usr_quota_inum won't help, because s_mount_opts is copied
into allocated memory using kstrndup(). So the buffer overrun is
going to be in the allocated memory buffer, and since parse_options()
uses strsep() it could potentially modify an adajacent string/buffer
by replacing ',' and '=' bytes with NUL characters. I'll leave to
security engineers to see if they can turn it into a usuable exploit,
although I've always said that mounting untrusted file systems isn't a
wise thing for a paranoid system administrator to do/allow, which is
why I'm a big fan of your fuse2fs work. :-)
- Ted
prev parent reply other threads:[~2025-09-12 2:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 3:15 [PATCH 0/3] ext4: Add support for mounted updates to the superblock via an ioctl Theodore Ts'o via B4 Relay
2025-09-09 3:15 ` [PATCH 1/3] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Theodore Ts'o via B4 Relay
2025-09-11 22:27 ` Darrick J. Wong
2025-09-12 2:12 ` Theodore Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250912021227.GB3703006@mit.edu \
--to=tytso@mit.edu \
--cc=djwong@kernel.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox