erofs: include the trailing NUL in FS_IOC_GETFSLABEL

zhanxusheng1024-os · gregkh · commit 46194b5ba93b · 2026-05-23T13:06:23.000+02:00
[ Upstream commit d6250d4 ] erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as the length to copy_to_user(), which copies the label string without the trailing NUL byte. Since FS_IOC_GETFSLABEL callers expect a NUL-terminated string in the FSLABEL_MAX-sized buffer and may not pre-zero the buffer, this can cause userspace to read past the label into uninitialised stack memory. Fix this by using strlen() + 1 to include the NUL terminator, consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL. Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com> Fixes: 1cf12c7 ("erofs: Add support for FS_IOC_GETFSLABEL") Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Chunhai Guo <guochunhai@vivo.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
@@ -348,7 +348,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg)
 		ret = clear_user(arg, 1);
 	else
 		ret = copy_to_user(arg, sbi->volume_name,
-				   strlen(sbi->volume_name));
+				   strlen(sbi->volume_name) + 1);
 	return ret ? -EFAULT : 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -348,7 +348,7 @@ static int erofs_ioctl_get_volume_label(struct inode inode, void __user arg)`
`348`	`348`	`ret = clear_user(arg, 1);`
`349`	`349`	`else`
`350`	`350`	`ret = copy_to_user(arg, sbi->volume_name,`
`351`		`- strlen(sbi->volume_name));`
	`351`	`+ strlen(sbi->volume_name) + 1);`
`352`	`352`	`return ret ? -EFAULT : 0;`
`353`	`353`	`}`
`354`	`354`