diff options
| author | Zhan Xusheng <zhanxusheng1024@gmail.com> | 2026-04-01 09:13:42 +0300 |
|---|---|---|
| committer | Gao Xiang <hsiangkao@linux.alibaba.com> | 2026-04-02 11:08:49 +0300 |
| commit | d6250d49da4d8f11afc0d8991c84e0307949f92e (patch) | |
| tree | 5c727473539c8e753f0206d84d9429fb2b9ea4fb | |
| parent | 5de6951fedb29700ace53b283ccb951c8f712d12 (diff) | |
| download | linux-d6250d49da4d8f11afc0d8991c84e0307949f92e.tar.xz | |
erofs: include the trailing NUL in FS_IOC_GETFSLABEL
erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte. Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.
Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Fixes: 1cf12c717741 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
| -rw-r--r-- | fs/erofs/inode.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c index 4b3d21402e10..a188c570087a 100644 --- a/fs/erofs/inode.c +++ b/fs/erofs/inode.c @@ -351,7 +351,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg) ret = clear_user(arg, 1); else ret = copy_to_user(arg, sbi->volume_name, - strlen(sbi->volume_name)); + strlen(sbi->volume_name) + 1); return ret ? -EFAULT : 0; } |