From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DDF0C433F5 for ; Thu, 16 Sep 2021 09:16:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 09C6661209 for ; Thu, 16 Sep 2021 09:16:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236407AbhIPJR2 (ORCPT ); Thu, 16 Sep 2021 05:17:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:41760 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236388AbhIPJQE (ORCPT ); Thu, 16 Sep 2021 05:16:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AD47560F93; Thu, 16 Sep 2021 09:14:42 +0000 (UTC) Date: Thu, 16 Sep 2021 11:14:40 +0200 From: Christian Brauner To: Vivek Goyal Cc: viro@zeniv.linux.org.uk, Linux fsdevel mailing list , linux kernel mailing list , Jan Kara , xu.xin16@zte.com.cn, Christoph Hellwig , zhang.yunkai@zte.com.cn Subject: Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer overflow Message-ID: <20210916091440.zk2qvdmldo6wkryi@wittgenstein> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 15, 2021 at 11:22:04AM -0400, Vivek Goyal wrote: > split_fs_names() currently takes comma separated list of filesystems > and converts it into individual filesystem strings. Pleaces these > strings in the input buffer passed by caller and returns number of > strings. > > If caller manages to pass input string bigger than buffer, then we > can write beyond the buffer. Or if string just fits buffer, we will > still write beyond the buffer as we append a '\0' byte at the end. > > Will be nice to pass size of input buffer to split_fs_names() and > put enough checks in place so such buffer overrun possibilities > do not occur. > > Hence this patch adds "size" parameter to split_fs_names() and makes > sure we do not access memory beyond size. If input string "names" > is larger than passed in buffer, input string will be truncated to > fit in buffer. > > Reported-by: xu xin > Signed-off-by: Vivek Goyal > --- Strange but probably reasonable, Acked-by: Christian Brauner