| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202602061152.EAAF56214@keescook>
Date: Fri, 6 Feb 2026 11:53:09 -0800
From: Kees Cook <kees@...nel.org>
To: Andy Shevchenko <andriy.shevchenko@...el.com>
Cc: 李龙兴 <coregee2000@...il.com>,
Theodore Ts'o <tytso@....edu>,
Andreas Dilger <adilger.kernel@...ger.ca>,
linux-ext4@...r.kernel.org, syzkaller@...glegroups.com,
andy@...nel.org, akpm@...ux-foundation.org,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [Kernel Bug] WARNING in ext4_fill_super
On Fri, Feb 06, 2026 at 11:29:11AM -0800, Kees Cook wrote:
> But I can't figure out where that comes from. Seems like fs_parse(), but
> I don't see where mount option strings would come through...
Oh! This is coming directly from disk. So we need an in-place sanity
check. How about this?
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 87205660c5d0..9ad6005615d8 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2485,6 +2485,13 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
if (!sbi->s_es->s_mount_opts[0])
return 0;
+ if (strnlen(sbi->s_es->s_mount_opts, sizeof(sbi->s_es->s_mount_opts)) ==
+ sizeof(sbi->s_es->s_mount_opts)) {
+ ext4_msg(sb, KERN_ERR,
+ "Mount options in superblock are not NUL-terminated");
+ return -EINVAL;
+ }
+
if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
return -E2BIG;
--
Kees Cook
Powered by blists - more mailing lists