From patchwork Fri Jun  3 17:34:07 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Milan Broz <mbroz@redhat.com>
X-Patchwork-Id: 847942
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter2.kernel.org (8.14.4/8.14.3) with ESMTP id p53HYEsb013059
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Fri, 3 Jun 2011 17:34:14 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754719Ab1FCReL (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Fri, 3 Jun 2011 13:34:11 -0400
Received: from mx1.redhat.com ([209.132.183.28]:25205 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754672Ab1FCReK (ORCPT <rfc822;linux-btrfs@vger.kernel.org>);
	Fri, 3 Jun 2011 13:34:10 -0400
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
	(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p53HYA1W011146
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <linux-btrfs@vger.kernel.org>; Fri, 3 Jun 2011 13:34:10 -0400
Received: from tawny.mazyland.net (tawny.brq.redhat.com [10.34.26.53])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id p53HY9r8020862; Fri, 3 Jun 2011 13:34:09 -0400
From: Milan Broz <mbroz@redhat.com>
To: linux-btrfs@vger.kernel.org
Cc: Milan Broz <mbroz@redhat.com>
Subject: [PATCH] btrfs: Null terminate string in scan device ioctl
Date: Fri,  3 Jun 2011 19:34:07 +0200
Message-Id: <1307122447-25062-1-git-send-email-mbroz@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]);
	Fri, 03 Jun 2011 17:34:14 +0000 (UTC)

btrfs_scan_one_device() directly uses vol->name
without additional checks so in the case of unterminated
string in ioctl it can access memory outside
of btrfs_ioctl_vol_args struct.

Always terminate name string (as the same as other users
do already).

Signed-off-by: Milan Broz <mbroz@redhat.com>
---
 fs/btrfs/super.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 9b2e7e5..2bb1a99 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1148,6 +1148,8 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
 	if (IS_ERR(vol))
 		return PTR_ERR(vol);
 
+	vol->name[BTRFS_PATH_NAME_MAX] = '\0';
+
 	switch (cmd) {
 	case BTRFS_IOC_SCAN_DEV:
 		ret = btrfs_scan_one_device(vol->name, FMODE_READ,