| Message ID | 1498477892-3683-1-git-send-email-khorenko@virtuozzo.com |
|---|---|
| State | New |
| Series | "Series without cover letter" |
| Headers | show |
diff --git a/fs/namespace.c b/fs/namespace.c index 7aed8f5..f2d1f84 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1899,6 +1899,7 @@ static char *strstr_separated(char *haystack, char *needle, char sep) static int ve_devmnt_check(char *options, char *allowed) { char *p; + char *tmp_options; if (!options || !*options) return 0; @@ -1906,14 +1907,22 @@ static int ve_devmnt_check(char *options, char *allowed) if (!allowed) return -EPERM; - while ((p = strsep(&options, ",")) != NULL) { + /* strsep() changes provided string: puts '\0' instead of separators */ + tmp_options = kstrdup(options, GFP_KERNEL); + if (!tmp_options) + return -ENOMEM; + + while ((p = strsep(&tmp_options, ",")) != NULL) { if (!*p) continue; - if (!strstr_separated(allowed, p, ',')) + if (!strstr_separated(allowed, p, ',')) { + kfree(tmp_options); return -EPERM; + } } + kfree(tmp_options); return 0; }
On Mon, Jun 26, 2017 at 15:51, Konstantin Khorenko wrote: > strsep() changes provided string: puts '\0' instead of separators, > thus after successful call to ve_devmnt_check() we insert > only first provided mount options, ignoring others. > > Fixes: bc4143b ("ve/fs/devmnt: process mount options") > > Found during implementation of > https://jira.sw.ru/browse/PSBM-40075 > > Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com> > --- > fs/namespace.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/fs/namespace.c b/fs/namespace.c > index 7aed8f5..f2d1f84 100644 > --- a/fs/namespace.c > +++ b/fs/namespace.c > @@ -1899,6 +1899,7 @@ static char *strstr_separated(char *haystack, char *needle, char sep) > static int ve_devmnt_check(char *options, char *allowed) > { > char *p; > + char *tmp_options; > > if (!options || !*options) > return 0; > @@ -1906,14 +1907,22 @@ static int ve_devmnt_check(char *options, char *allowed) > if (!allowed) > return -EPERM; > > - while ((p = strsep(&options, ",")) != NULL) { > + /* strsep() changes provided string: puts '\0' instead of separators */ > + tmp_options = kstrdup(options, GFP_KERNEL); > + if (!tmp_options) > + return -ENOMEM; > + > + while ((p = strsep(&tmp_options, ",")) != NULL) { > if (!*p) > continue; > > - if (!strstr_separated(allowed, p, ',')) > + if (!strstr_separated(allowed, p, ',')) { > + kfree(tmp_options); > return -EPERM; > + } > } > > + kfree(tmp_options); > return 0; > } > > -- > 1.8.3.1 >
strsep() changes provided string: puts '\0' instead of separators, thus after successful call to ve_devmnt_check() we insert only first provided mount options, ignoring others. Fixes: bc4143b ("ve/fs/devmnt: process mount options") Found during implementation of https://jira.sw.ru/browse/PSBM-40075 Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com> --- fs/namespace.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)