On Mon, 09. Feb 21:01, Darrick J. Wong wrote:
> On Mon, Feb 09, 2026 at 12:00:36PM -0800, Kees Cook wrote:
> > Okay, great. I figure I can do two things:
> >
> > 1) rework this patch with adjusted commit log to reflect the notes
> > raised so far, so that we reject mounts that lack a NUL-terminated
> > s_mount_opts (as silent truncation may induce an unintended option
> > string, e.g. "...,journal_path=/dev/sda2" into
> > "...,journal_path=/dev/sda"
> > or something weird like that).
> >
> > 2) Leave everything as-is, live with above corner case since it should
> > be unreachable with userspace tooling as they have always existed.
> >
> > I'm fine either way! :)
>
> I'd pick #1, unless someone knows of a userspace program that could have
> set a 64-byte s_mount_ops string with no null terminator. I didn't find
> any, but there are many implementations of ext4 out there. :/
>
> (and yes, it's better to reject an unterminated s_mount_opts than
> accidentally point the kernel at the wrong block device)
If I understand the issue correctly, it's already being rejected with the
existing check:
if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
return -E2BIG;
If the source string is truncated at least by one symbol (which is the
case for unterminated string), strscpy_pad() returns -E2BIG and the mount
fails.
