basebuilder_pel7x64builder0
6 years ago
2 changed files with 52 additions and 1 deletions
@ -0,0 +1,46 @@ |
|||||||
|
From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Jann Horn <jannh@google.com> |
||||||
|
Date: Fri, 13 Jul 2018 15:15:36 -0700 |
||||||
|
Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options |
||||||
|
|
||||||
|
The old code permits the following behavior: |
||||||
|
|
||||||
|
$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount |
||||||
|
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) |
||||||
|
|
||||||
|
However, backslashes do not have any special meaning for the kernel here. |
||||||
|
|
||||||
|
As it happens, you can't abuse this because there is no FUSE mount option |
||||||
|
that takes a string value that can contain backslashes; but this is very |
||||||
|
brittle. Don't interpret "escape characters" in places where they don't |
||||||
|
work. |
||||||
|
--- |
||||||
|
util/fusermount.c | 5 ++++- |
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/util/fusermount.c b/util/fusermount.c |
||||||
|
index 26a0b75bbecb..5175c0115a05 100644 |
||||||
|
--- a/util/fusermount.c |
||||||
|
+++ b/util/fusermount.c |
||||||
|
@@ -29,6 +29,7 @@ |
||||||
|
#include <sys/socket.h> |
||||||
|
#include <sys/utsname.h> |
||||||
|
#include <sched.h> |
||||||
|
+#include <stdbool.h> |
||||||
|
|
||||||
|
#define FUSE_COMMFD_ENV "_FUSE_COMMFD" |
||||||
|
|
||||||
|
@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode, |
||||||
|
unsigned len; |
||||||
|
const char *fsname_str = "fsname="; |
||||||
|
const char *subtype_str = "subtype="; |
||||||
|
+ bool escape_ok = begins_with(s, fsname_str) || |
||||||
|
+ begins_with(s, subtype_str); |
||||||
|
for (len = 0; s[len]; len++) { |
||||||
|
- if (s[len] == '\\' && s[len + 1]) |
||||||
|
+ if (escape_ok && s[len] == '\\' && s[len + 1]) |
||||||
|
len++; |
||||||
|
else if (s[len] == ',') |
||||||
|
break; |
||||||
|
-- |
||||||
|
2.14.3 |
Loading…
Reference in new issue