tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

erofs: include the trailing NUL in FS_IOC_GETFSLABEL

erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte. Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.

Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Fixes: 1cf12c717741 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

authored by

Zhan Xusheng and committed by
Gao Xiang d6250d49 5de6951f

+1 -1
+1 -1
fs/erofs/inode.c
··· 351 351 ret = clear_user(arg, 1); 352 352 else 353 353 ret = copy_to_user(arg, sbi->volume_name, 354 - strlen(sbi->volume_name)); 354 + strlen(sbi->volume_name) + 1); 355 355 return ret ? -EFAULT : 0; 356 356 } 357 357