fuse2fs: fix memory corruption when parsing mount options

struct fuse_opt has this interesting behavior -- if you set the offset
field to a non-negative value, then it will treat that value as a byte
offset into the data parameter that is passed to fuse_opt_parse.

Unfortnately, process_opt computes a pointer from ((char *)data +
offset), casts that to an int pointer(!), and dereferences the int
pointer to set the value.  Therefore, we cannot have uint8_t fields in
struct fuse2fs because that will lead to subtle memory corruption.

Cc: <linux-ext4@vger.kernel.org> # v1.47.3
Fixes: c7f2688540d95e ("fuse2fs: compact all the boolean flags in struct fuse2fs")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>

diff --git a/misc/fuse2fs.c b/misc/fuse2fs.c
index 0a862ea086cbde299ac0cb39b2d23c75e4905672..868b889912857d0813d11d0baa09345074e37575 100644 (file)
--- a/misc/fuse2fs.c
+++ b/misc/fuse2fs.c
@@ -217,17 +217,19 @@ struct fuse2fs {
        pthread_mutex_t bfl;
        char *device;
        char *shortdev;
-       uint8_t ro;
-       uint8_t debug;
-       uint8_t no_default_opts;
-       uint8_t panic_on_error;
-       uint8_t minixdf;
-       uint8_t fakeroot;
-       uint8_t alloc_all_blocks;
-       uint8_t norecovery;
-       uint8_t kernel;
-       uint8_t directio;
-       uint8_t acl;
+
+       /* options set by fuse_opt_parse must be of type int */
+       int ro;
+       int debug;
+       int no_default_opts;
+       int panic_on_error;
+       int minixdf;
+       int fakeroot;
+       int alloc_all_blocks;
+       int norecovery;
+       int kernel;
+       int directio;
+       int acl;
 
        int logfd;
        int blocklog;