Re: [PATCH v2 1/2] fs: Improve and simplify copy_mount_options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 15, 2016 at 02:42:33PM -1000, Linus Torvalds wrote:
> On Wed, Jun 15, 2016 at 2:01 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> >
> > devtmpfsd does:
> >
> >         *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
> >
> > where options points to the kernel stack.  This is bad.  do_mount_root
> > is similarly broken.
> >
> > Is there any reason that these things use sys_mount instead of do_mount?
> 
> Not that I can see. But maybe copy_mount_options could also check for
> KERNEL_DS, and use a strncpy instead of a copy_from_user() for that
> case?

Well, strncpy() would make the function behave differently depending on
the FS being used if called from the kernel for the reason Al mentionned.
OK devtmpfsd() passes a string, but if it's the FS itself which decides
to stop on a zero when parsing mount options, we'd probably rather use
memcpy() instead to ensure a consistent behaviour, like this maybe ?

Willy

diff --git a/fs/namespace.c b/fs/namespace.c
index 4fb1691..058b856 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2622,6 +2622,12 @@ void *copy_mount_options(const void __user * data)
 	if (!copy)
 		return ERR_PTR(-ENOMEM);
 
+	/* do_mount() may be called from the kernel */
+	if (segment_eq(get_fs(), KERNEL_DS)) {
+		memcpy(copy, data, PAGE_SIZE);
+		return copy;
+	}
+
 	/* We only care that *some* data at the address the user
 	 * gave us is valid.  Just in case, we'll zero
 	 * the remainder of the page.

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]