Hi Al,
Here's a patch which zeroes the last byte of the mount option data copied
from userspace during mount(2).
For filesystems which parse mount options as strings (the majority), lack
of a zero terminator could cause the page to be overrun. The source code
comments specify that the maximum size of the mount data is PAGE_SIZE-1,
so this patch will not affect any valid binary-formatted mount data.
Patch is against 2.6.2-rc1-mm2, and also applies to recent 2.4.
- James
--
James Morris
<[email protected]>
diff -urN -X dontdiff linux-2.6.2-rc1-mm2.o/fs/namespace.c linux-2.6.2-rc1-mm2.w/fs/namespace.c
--- linux-2.6.2-rc1-mm2.o/fs/namespace.c 2004-01-23 14:30:05.000000000 -0500
+++ linux-2.6.2-rc1-mm2.w/fs/namespace.c 2004-01-24 09:46:52.000919520 -0500
@@ -763,6 +763,9 @@
if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))
return -EINVAL;
+ if (data_page)
+ ((char *)data_page)[PAGE_SIZE - 1] = 0;
+
/* Separate the per-mountpoint flags */
if (flags & MS_NOSUID)
mnt_flags |= MNT_NOSUID;