Mount options may be silently discarded
Dmitry Kasatkin
dmitry.kasatkin at gmail.com
Mon Sep 28 14:02:50 UTC 2020
Hi,
"copy_mount_options" function came to my eyes.
It splits copy into 2 pieces - over page boundaries.
I wonder what is the real reason for doing this?
Original comment was that we need exact bytes and some user memcpy
functions do not return correct number on page fault.
But how would all other cases work?
https://elixir.bootlin.com/linux/latest/source/fs/namespace.c#L3075
if (size != PAGE_SIZE) {
if (copy_from_user(copy + size, data + size, PAGE_SIZE - size))
memset(copy + size, 0, PAGE_SIZE - size);
}
This looks like some options may be just discarded?
What if it is an important security option?
Why it does not return EFAULT, but just memset?
--
Thanks,
Dmitry
More information about the Linux-security-module-archive
mailing list