|
|
98f44a |
From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001
|
|
|
98f44a |
From: Jann Horn <jannh@google.com>
|
|
|
98f44a |
Date: Fri, 13 Jul 2018 15:15:36 -0700
|
|
|
98f44a |
Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
|
|
|
98f44a |
|
|
|
98f44a |
The old code permits the following behavior:
|
|
|
98f44a |
|
|
|
98f44a |
$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
|
|
|
98f44a |
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
|
|
|
98f44a |
|
|
|
98f44a |
However, backslashes do not have any special meaning for the kernel here.
|
|
|
98f44a |
|
|
|
98f44a |
As it happens, you can't abuse this because there is no FUSE mount option
|
|
|
98f44a |
that takes a string value that can contain backslashes; but this is very
|
|
|
98f44a |
brittle. Don't interpret "escape characters" in places where they don't
|
|
|
98f44a |
work.
|
|
|
98f44a |
---
|
|
|
98f44a |
util/fusermount.c | 5 ++++-
|
|
|
98f44a |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
98f44a |
|
|
|
98f44a |
diff --git a/util/fusermount.c b/util/fusermount.c
|
|
|
98f44a |
index 26a0b75bbecb..5175c0115a05 100644
|
|
|
98f44a |
--- a/util/fusermount.c
|
|
|
98f44a |
+++ b/util/fusermount.c
|
|
|
98f44a |
@@ -29,6 +29,7 @@
|
|
|
98f44a |
#include <sys/socket.h>
|
|
|
98f44a |
#include <sys/utsname.h>
|
|
|
98f44a |
#include <sched.h>
|
|
|
98f44a |
+#include <stdbool.h>
|
|
|
98f44a |
|
|
|
98f44a |
#define FUSE_COMMFD_ENV "_FUSE_COMMFD"
|
|
|
98f44a |
|
|
|
98f44a |
@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
|
|
|
98f44a |
unsigned len;
|
|
|
98f44a |
const char *fsname_str = "fsname=";
|
|
|
98f44a |
const char *subtype_str = "subtype=";
|
|
|
98f44a |
+ bool escape_ok = begins_with(s, fsname_str) ||
|
|
|
98f44a |
+ begins_with(s, subtype_str);
|
|
|
98f44a |
for (len = 0; s[len]; len++) {
|
|
|
98f44a |
- if (s[len] == '\\' && s[len + 1])
|
|
|
98f44a |
+ if (escape_ok && s[len] == '\\' && s[len + 1])
|
|
|
98f44a |
len++;
|
|
|
98f44a |
else if (s[len] == ',')
|
|
|
98f44a |
break;
|
|
|
98f44a |
--
|
|
|
98f44a |
2.14.3
|
|
|
98f44a |
|