We used to truncate the string. Make the behaviour of mount() more predictable: return -EINVAL if the string is too long. Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx> --- fs/namespace.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index dfb5f370f2fa..0467f461dbd8 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2582,8 +2582,7 @@ static void shrink_submounts(struct mount *mnt) } /* Copy the mount options string. Always returns a full page padded - * with nulls. If the input string is a full page or more, it may be - * truncated and the result will not be null-terminated. + * with nulls and guarantees that the result is null-terminated. */ void *copy_mount_options(const void __user *data) { @@ -2601,7 +2600,12 @@ void *copy_mount_options(const void __user *data) if (size < 0) return ERR_PTR(size); - /* If we got less than PAGE_SIZE bytes, zero out the remainder. */ + if (size >= PAGE_SIZE) { + kfree(copy); + return ERR_PTR(-EINVAL); + } + + /* Pad with zeros. */ memset(copy + size, 0, PAGE_SIZE); return copy; @@ -2637,10 +2641,6 @@ long do_mount(const char *dev_name, const char __user *dir_name, if ((flags & MS_MGC_MSK) == MS_MGC_VAL) flags &= ~MS_MGC_MSK; - /* Basic sanity checks */ - if (data_page) - ((char *)data_page)[PAGE_SIZE - 1] = 0; - /* ... and get the mountpoint */ retval = user_path(dir_name, &path); if (retval) -- 2.5.5 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html