erofs: include the trailing NUL in FS_IOC_GETFSLABEL

erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte.  Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.

Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Fixes: 1cf12c717741 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
index 4b3d21402e101f86b23b327fc93e29a1103ac992..a188c570087aec22634b45f889e33c87be591e0a 100644 (file)
--- a/fs/erofs/inode.c
+++ b/fs/erofs/inode.c
@@ -351,7 +351,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg)
                ret = clear_user(arg, 1);
        else
                ret = copy_to_user(arg, sbi->volume_name,
-                                  strlen(sbi->volume_name));
+                                  strlen(sbi->volume_name) + 1);
        return ret ? -EFAULT : 0;
 }