fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap - wireguard-linux

diff options

author	Junyoung Jang <graypanda.inzag@gmail.com>	2026-05-04 20:26:49 +0900
committer	Christian Brauner <brauner@kernel.org>	2026-05-11 14:19:01 +0200
commit	a3bf0f28d4ba16e1f35f8c983bb04426b87e2a78 (patch)
tree	cade088fa4ae00dd156fad78838efa36dcf73ce8 /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com
parent	Linux 7.1-rc3 (diff)

fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap

statmount_mnt_idmap() writes one mapping with seq_printf() and then manually advances seq->count to include the NUL separator. If seq_printf() overflows, seq_set_overflow() sets seq->count to seq->size. The manual seq->count++ changes this to seq->size + 1. seq_has_overflowed() then no longer detects the overflow. The corrupted count returns to statmount_string(), which later executes: seq->buf[seq->count++] = '\0'; This causes a 1-byte NULL out-of-bounds write on the dynamically allocated seq buffer. Fix this by checking for overflow immediately after seq_printf(). Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings") Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com> Link: https://patch.msgid.link/20260504112649.1862936-1-graypanda.inzag@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org>

Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: