From: Theodore Ts'o Date: Tue, 21 Oct 2025 17:49:05 +0000 (-0400) Subject: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() X-Git-Tag: v5.4.301~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7bf46ff83a0ef11836e38ebd72cdc5107209342d;p=thirdparty%2Fkernel%2Fstable.git ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() [ Upstream commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ] Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Cc: stable@vger.kernel.org Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") Reviewed-by: Jan Kara Reviewed-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu> Signed-off-by: Theodore Ts'o [ applied to ext4_fill_super() instead of parse_apply_sb_mount_options() ] Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- diff --git a/fs/ext4/super.c b/fs/ext4/super.c index ff681888a123..0c7aedcb39ea 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3882,18 +3882,16 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) } if (sbi->s_es->s_mount_opts[0]) { - char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, - sizeof(sbi->s_es->s_mount_opts), - GFP_KERNEL); - if (!s_mount_opts) - goto failed_mount; + char s_mount_opts[65]; + + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts, + sizeof(s_mount_opts)); if (!parse_options(s_mount_opts, sb, &journal_devnum, &journal_ioprio, 0)) { ext4_msg(sb, KERN_WARNING, "failed to parse options in superblock: %s", s_mount_opts); } - kfree(s_mount_opts); } sbi->s_def_mount_opt = sbi->s_mount_opt; if (!parse_options((char *) data, sb, &journal_devnum,