Commit d6250d49 authored by Zhan Xusheng's avatar Zhan Xusheng Committed by Gao Xiang
Browse files

erofs: include the trailing NUL in FS_IOC_GETFSLABEL 



erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte.  Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.

Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.

Signed-off-by: default avatarZhan Xusheng <zhanxusheng@xiaomi.com>
Fixes: 1cf12c71 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: default avatarGao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: default avatarChunhai Guo <guochunhai@vivo.com>
Signed-off-by: default avatarGao Xiang <hsiangkao@linux.alibaba.com>
parent 5de6951f

fs/erofs/inode.c

+1 −1
Original line number Diff line number Diff line
@@ -351,7 +351,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg) 
		ret = clear_user(arg, 1);

	else

		ret = copy_to_user(arg, sbi->volume_name,

				   strlen(sbi->volume_name));

				   strlen(sbi->volume_name) + 1);

	return ret ? -EFAULT : 0;

}