Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer overflow

From: Christian Brauner
Date: Thu Sep 16 2021 - 05:16:10 EST


On Wed, Sep 15, 2021 at 11:22:04AM -0400, Vivek Goyal wrote:
> split_fs_names() currently takes comma separated list of filesystems
> and converts it into individual filesystem strings. Pleaces these
> strings in the input buffer passed by caller and returns number of
> strings.
>
> If caller manages to pass input string bigger than buffer, then we
> can write beyond the buffer. Or if string just fits buffer, we will
> still write beyond the buffer as we append a '\0' byte at the end.
>
> Will be nice to pass size of input buffer to split_fs_names() and
> put enough checks in place so such buffer overrun possibilities
> do not occur.
>
> Hence this patch adds "size" parameter to split_fs_names() and makes
> sure we do not access memory beyond size. If input string "names"
> is larger than passed in buffer, input string will be truncated to
> fit in buffer.
>
> Reported-by: xu xin <xu.xin16@xxxxxxxxxx>
> Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
> ---

Strange but probably reasonable,
Acked-by: Christian Brauner <christian.brauner@xxxxxxxxxx>