Unverified Commit a3bf0f28 authored May 04, 2026 by Junyoung Jang Committed by Christian Brauner May 11, 2026

fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap



statmount_mnt_idmap() writes one mapping with seq_printf() and then
manually advances seq->count to include the NUL separator.

If seq_printf() overflows, seq_set_overflow() sets seq->count to
seq->size. The manual seq->count++ changes this to seq->size + 1.
seq_has_overflowed() then no longer detects the overflow. The corrupted
count returns to statmount_string(), which later executes:

    seq->buf[seq->count++] = '\0';

This causes a 1-byte NULL out-of-bounds write on the dynamically
allocated seq buffer.

Fix this by checking for overflow immediately after seq_printf().

Fixes: 37c4a959 ("statmount: allow to retrieve idmappings")
Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com>
Link: https://patch.msgid.link/20260504112649.1862936-1-graypanda.inzag@gmail.com


Signed-off-by: Christian Brauner <brauner@kernel.org>

parent 5d691905

fs/mnt_idmapping.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -375,6 +375,8 @@ int statmount_mnt_idmap(struct mnt_idmap idmap, struct seq_file seq, bool uid_
		continue;

		seq_printf(seq, "%u %u %u", extent->first, lower, extent->count);
		if (seq_has_overflowed(seq))
		return -EAGAIN;

		seq->count++; /* mappings are separated by \0 */
		if (seq_has_overflowed(seq))