On Wed, Jun 15, 2016 at 02:42:33PM -1000, Linus Torvalds wrote:
> On Wed, Jun 15, 2016 at 2:01 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> >
> > devtmpfsd does:
> >
> > *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
> >
> > where options points to the kernel stack. This is bad. do_mount_root
> > is similarly broken.
> >
> > Is there any reason that these things use sys_mount instead of do_mount?
>
> Not that I can see. But maybe copy_mount_options could also check for
> KERNEL_DS, and use a strncpy instead of a copy_from_user() for that
> case?
Well, strncpy() would make the function behave differently depending on
the FS being used if called from the kernel for the reason Al mentionned.
OK devtmpfsd() passes a string, but if it's the FS itself which decides
to stop on a zero when parsing mount options, we'd probably rather use
memcpy() instead to ensure a consistent behaviour, like this maybe ?
Willy
diff --git a/fs/namespace.c b/fs/namespace.c
index 4fb1691..058b856 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2622,6 +2622,12 @@ void *copy_mount_options(const void __user * data)
if (!copy)
return ERR_PTR(-ENOMEM);
+ /* do_mount() may be called from the kernel */
+ if (segment_eq(get_fs(), KERNEL_DS)) {
+ memcpy(copy, data, PAGE_SIZE);
+ return copy;
+ }
+
/* We only care that *some* data at the address the user
* gave us is valid. Just in case, we'll zero
* the remainder of the page.
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html