Mount options may be silently discarded
David Laight
David.Laight at ACULAB.COM
Mon Sep 28 14:36:21 UTC 2020
From: Dmitry Kasatkin
> Sent: 28 September 2020 15:03
>
> "copy_mount_options" function came to my eyes.
> It splits copy into 2 pieces - over page boundaries.
> I wonder what is the real reason for doing this?
> Original comment was that we need exact bytes and some user memcpy
> functions do not return correct number on page fault.
>
> But how would all other cases work?
>
> https://elixir.bootlin.com/linux/latest/source/fs/namespace.c#L3075
>
> if (size != PAGE_SIZE) {
> if (copy_from_user(copy + size, data + size, PAGE_SIZE - size))
> memset(copy + size, 0, PAGE_SIZE - size);
> }
>
> This looks like some options may be just discarded?
> What if it is an important security option?
>
> Why it does not return EFAULT, but just memset?
The user doesn't supply the transfer length, the max size
is a page.
Since the copy can only start to fail on a page boundary
reading in two pieces is exactly the same as knowing the
address at which the transfer started to fail.
Since the actual mount options can be much smaller than
a page (and usually are) zero-filling is best.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
More information about the Linux-security-module-archive
mailing list