From: Darrick J. Wong <djwong@kernel.org>
Date: Fri, 5 Sep 2025 21:56:02 +0000 (-0700)
Subject: fuse2fs: fix memory corruption when parsing mount options
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fdfc5b030a01c43a0e1d02d26be20b3db45979d1;p=thirdparty%2Fe2fsprogs.git

fuse2fs: fix memory corruption when parsing mount options

struct fuse_opt has this interesting behavior -- if you set the offset
field to a non-negative value, then it will treat that value as a byte
offset into the data parameter that is passed to fuse_opt_parse.

Unfortnately, process_opt computes a pointer from ((char *)data +
offset), casts that to an int pointer(!), and dereferences the int
pointer to set the value.  Therefore, we cannot have uint8_t fields in
struct fuse2fs because that will lead to subtle memory corruption.

Cc: <linux-ext4@vger.kernel.org> # v1.47.3
Fixes: c7f2688540d95e ("fuse2fs: compact all the boolean flags in struct fuse2fs")
Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
---

diff --git a/misc/fuse2fs.c b/misc/fuse2fs.c
index 0a862ea0..868b8899 100644
--- a/misc/fuse2fs.c
+++ b/misc/fuse2fs.c
@@ -217,17 +217,19 @@ struct fuse2fs {
 	pthread_mutex_t bfl;
 	char *device;
 	char *shortdev;
-	uint8_t ro;
-	uint8_t debug;
-	uint8_t no_default_opts;
-	uint8_t panic_on_error;
-	uint8_t minixdf;
-	uint8_t fakeroot;
-	uint8_t alloc_all_blocks;
-	uint8_t norecovery;
-	uint8_t kernel;
-	uint8_t directio;
-	uint8_t acl;
+
+	/* options set by fuse_opt_parse must be of type int */
+	int ro;
+	int debug;
+	int no_default_opts;
+	int panic_on_error;
+	int minixdf;
+	int fakeroot;
+	int alloc_all_blocks;
+	int norecovery;
+	int kernel;
+	int directio;
+	int acl;
 
 	int logfd;
 	int blocklog;