From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001

From: Jann Horn <jannh@google.com>

Date: Fri, 13 Jul 2018 15:15:36 -0700

Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options

The old code permits the following behavior:

$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount

mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)

However, backslashes do not have any special meaning for the kernel here.

As it happens, you can't abuse this because there is no FUSE mount option

that takes a string value that can contain backslashes; but this is very

brittle. Don't interpret "escape characters" in places where they don't

work.

---

 util/fusermount.c | 5 ++++-

 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/util/fusermount.c b/util/fusermount.c

index 26a0b75bbecb..5175c0115a05 100644

--- a/util/fusermount.c

+++ b/util/fusermount.c

@@ -29,6 +29,7 @@

 #include <sys/socket.h>

 #include <sys/utsname.h>

 #include <sched.h>

+#include <stdbool.h>

 #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"

@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,

 		unsigned len;

 		const char *fsname_str = "fsname=";

 		const char *subtype_str = "subtype=";

+		bool escape_ok = begins_with(s, fsname_str) ||

+				 begins_with(s, subtype_str);

 		for (len = 0; s[len]; len++) {

-			if (s[len] == '\\' && s[len + 1])

+			if (escape_ok && s[len] == '\\' && s[len + 1])

 				len++;

 			else if (s[len] == ',')

 				break;

-- 

2.14.3