We used to truncate the string. Make the behaviour of mount() more
predictable: return -EINVAL if the string is too long.
Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
---
fs/namespace.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 8644f1961ca6..96e6b09df7d1 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2582,8 +2582,7 @@ static void shrink_submounts(struct mount *mnt)
}
/* Copy the mount options string. Always returns a full page padded
- * with nulls. If the input string is a full page or more, it may be
- * truncated and the result will not be null-terminated.
+ * with nulls and guarantees that the result is null-terminated.
*/
void *copy_mount_options(const void __user *data)
{
@@ -2603,7 +2602,12 @@ void *copy_mount_options(const void __user *data)
return ERR_PTR(size);
}
- /* If we got less than PAGE_SIZE bytes, zero out the remainder. */
+ if (size >= PAGE_SIZE) {
+ kfree(copy);
+ return ERR_PTR(-EINVAL);
+ }
+
+ /* Pad with zeros. */
memset(copy + size, 0, PAGE_SIZE - size);
return copy;
@@ -2639,10 +2643,6 @@ long do_mount(const char *dev_name, const char __user *dir_name,
if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
flags &= ~MS_MGC_MSK;
- /* Basic sanity checks */
- if (data_page)
- ((char *)data_page)[PAGE_SIZE - 1] = 0;
-
/* ... and get the mountpoint */
retval = user_path(dir_name, &path);
if (retval)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
