On 24/10/2022 00:39, Hawkins Jiawei wrote:
According to commit "vfs: parse: deal with zero length string value",
kernel will set the param->string to null pointer in vfs_parse_fs_string()
if fs string has zero length.
Yet the problem is that, ceph_parse_mount_param() will dereferences the
param->string, without checking whether it is a null pointer, which may
trigger a null-ptr-deref bug.
This patch solves it by adding sanity check on param->string
in ceph_parse_mount_param().
Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx>
---
fs/ceph/super.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index 3fc48b43cab0..341e23fe29eb 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -417,6 +417,9 @@ static int ceph_parse_mount_param(struct fs_context *fc,
param->string = NULL;
break;
case Opt_mds_namespace:
+ if (!param->string)
+ return invalfc(fc, "Bad value '%s' for mount option '%s'\n",
+ param->string, param->key);
if (!namespace_equals(fsopt, param->string, strlen(param->string)))
return invalfc(fc, "Mismatching mds_namespace");
kfree(fsopt->mds_namespace);
BTW, did you hit any crash issue when testing this ?
$ ./bin/mount.ceph :/ /mnt/kcephfs -o mds_namespace=
<5>[ 375.535442] ceph: module verification failed: signature and/or
required key missing - tainting kernel
<6>[ 375.698145] ceph: loaded (mds proto 32)
<3>[ 375.801621] ceph: Bad value for 'mds_namespace'
From my test, the 'fsparam_string()' has already make sure it won't
trigger the null-ptr-deref bug.
But it will always make sense to fix it in ceph code with your patch.
- Xiubo